Sony, Hacked: It’s Not One Massive Breach – It’s More Than 50 Breaches in 15 Years

Cybersecurity_MerrillCollegeofJournalismEver try to follow an evolving story in which the cascade of trouble grew so big and moved so fast it was like trying to stay ahead of a pyroclastic flow?

That’s what it’s like keeping up with emerging reports about the massive cyber attack on Sony. (Granted, it’s nothing like the torture report, but Hollywood has a way of making the story spin harder when it’s about them.)

The second most ridiculous part of the Sony hack story is the way in which the entertainment industry has studiously avoided criticizing those most responsible for data security.

In late November, when the hacker(s) self-identified as “Guardians of Peace” made threats across Sony Pictures’ computer network before releasing digital film content, members of the entertainment industry were quick to revile pirates they believed were intent on stealing and distributing digital film content.

When reports emerged implicating North Korea as the alleged source of the hack, the industry backpedaled away from their outrage over piracy, mumbling instead about hackers.

The industry’s insiders shifted gears once again it was revealed that Sony’s passwords were in a password-protected file, and the password to this file was ‘password.

At this juncture you’d think Sony’s employees and contractors – whose Social Security numbers, addresses, emails, and other sensitive information had been exposed – would demand a corporate-wide purge of IT department and Sony executives.

You’d think that anyone affiliated with Sony, whose past and future business dealings might also be exposed would similarly demand expulsion of the incompetents who couldn’t find OPSEC if it was tattooed on their asses. Or perhaps investors and analysts would descend upon the corporation with pitchforks and torches, demanding heads on pikes because of teh stoopid.


Instead the industry has been tsk-tsking about the massive breach, all the while rummaging through the equivalent of Sony Pictures’ wide-open lingerie drawer, looking for industry intelligence. Reporting by entertainment industry news outlets has focused almost solely on the content of emails between executives.

But the first most ridiculous part of this massive assault on Sony is that Sony has been hacked more than 50 times in the last 15 years.

Yes. That’s More Than Fifty.

Inside Fifteen Years.

Granted, this is not just Sony’s film studio business, but Sony Corporation, the Japanese conglomerate which includes Sony Pictures Entertainment, and Sony Computer Entertainment (the parent of PlayStation products). The cyber attacks have focused on these two entities, more so than Sony’s manufacturing and finance subsidiaries. But one would think that management at the top of the holding company structure would eventually demand ALL subsidiaries institute a baseline cyber security overhaul.

The first hack was in 1999, when a Sony website was defaced. This was a recurring theme for several years – 52 times websites across the Sony Group were defaced, between 1999 and early 2011.

Two times during the same period, Sony Computer Entertainment’s PlayStation PS3 games or accounts were hacked; customer credit card numbers were compromised, and SonyRewards program was breached – that’s a total of 56 attacks inside twelve years.

The attacks exploded after the first quarter of 2011, amounting to a total of 21 in that banner year alone. The worst attack in terms of scale affected 77 million PlayStation Network (PSN) users’ accounts. It was only the first multi-million account breach in 2011, however, and PSN was offline for 24 days due to another attack.

Though far fewer in number, cyber attacks since 2011 have been costly to Sony subsidiaries. The entire catalog of Michael Jackson’s songs was stolen sometime in 2011, but acknowledged in March 2012. In November 2013, Sony PSN notices unusual activity and resets passwords for an unspecified number of PSN user accounts.

The massive cyber attack in November was not the only one this year. In August, a group calling themselves the “Lizard Squad” spawned a distributed denial of service focused on PSN; at the same time, a bomb threat had been called in, causing diversion of the plane on which Sony’s president of its online entertainment subsidiary was traveling.

In February 2014, credentials for one or more Sony Pictures Entertainment servers were obtained by hackers and used to upload malware. Sony did not disclose the attack to the public as the breach appears to have occurred in Brazil, where no law requires such a disclosure. This may have been the initial vector of infection and attack by the Guardians of Peace, culminating in the November data breach, though it is not clear based on the information available to date.

What is clear from Sony subsidiaries’ cyber security history is that Sony has a massive, holding company-wide problem with operations security, and the problem is deeply embedded in its culture if attacks have not been stemmed over the last 15 years.

It is also clear that the entertainment industry – beyond the disturbing attributes like racism and sexism revealed by materials exposed in Sony’s breached records – shares an equally troubled attitude toward operations security.

This seems particularly odd for an industry that relies on intellectual property and digital distribution. The industry may complain heartily about piracy, but they are not prepared to lock the doors against incursions, preferring instead to buy influence – through its trade association MPAA — with politicians and law enforcement rather than actually protect their creative works and their employees.

Reaction among the other major film studios has been tepid to altogether mute. One report said Twenty-First Century Fox was considering a request for employees to change their passwords.

(Oh, such bold leadership with aggressive implementation of heightened security efforts…)

But the proof is in the pudding. Hackmageddon’s aggregate reports of cyber attacks on major firms over the last handful of years reveals that of the major studios, only Warner Brothers and FOX were attacked a couple of times each, and the breaches were relatively small compared to the scale of 2011 aand 2014 attacks on Sony.

Putting aside the issue of lousy OPSEC, one might well ask why Sony? The theory that North Korea is behind this latest massive breach is split among the cyber security community. NK’s complaint filed with the United Nations about Sony’s scheduled release of the comedy, The Interview, poking fun at Kim Jong-un supplies a motive. But the complaint letter was filed in June, and the two known breaches from February and November this year don’t align well with that time frame. NK was cryptic in response to early questions about its responsibility; it later denied responsibility.

Some speculate the attack was cyber crime, intended to extort money out of the corporation based on the threat sent to executives on November 21st, before the hackers released Sony’s data. The demand read, “We’ve got great damage by Sony Pictures. The compensation for it, monetary compensation we want. Pay the damage, or Sony Pictures will be bombarded as a whole.”

A payout was not and is not feasible, as any sizable cash payout would necessarily require the sign-off of board of directors, and they in turn would be held accountable by shareholders. It’s simply not a logical, workable scenario.

It’s not impossible the breach was the work of hacktivists. Motives for such an attack are not clear, however. The messy clues to the hack’s origins fit more closely with reasons of vengeance, though any rationale beyond NK’s anger about The Interview is murky.

No matter the origins of the hack, the beneficiaries of the attack are the competing major studios. Sony Pictures’ ~11% share of the movie industry may fall if confidence in the studio does not improve. Investors shorting Sony may also benefit from a recent downturn in Sony’s ADR price.

The losers are the employees and larger creative community dependent upon Sony’s business. They deserved better protection that even simple changes to security would have afforded them.

And of course the public deserved better than the questionable testimony the president of Sony Network Entertainment International Tim Schaaf gave before Congress back in June 2011, after the enormous breaches of PSN’s users’ data that spring:

“Sony Network Entertainment and Sony Online Entertainment have always made concerted and substantial efforts to maintain and improve their data security systems.”


[graphic: Merrill College of Journalism via Flickr]

22 replies
      • Rayne says:

        I might not have bothered with Sony at all, but they are a publicly traded company (as an ADR in the US). This mess is large enough that it may shape future domestic and foreign policy for these reasons:

        — If North Korea is involved and targeted US business interests, this hack is open asymmetric warfare;
        — The hack violates the Computer Fraud and Abuse Act (Title 18 of the United States Code 1030a.2) as financial records were accessed; CFAA (Title 18 United States Code 1343) may also be pertinent with regard to the theft of content damaging Sony’s business. Securities and Exchange Act of 1934 may also have been violated if the financial information was used fraudulently;
        — As noted, Sony’s testimony before Congress said one thing, while reality of business practice was another. Did that testimony affect any subsequent lawmaking with regard to surveillance and law enforcement?

    • Rayne says:

      Cited it — scroll down to mention of MPAA in article.

      It’s troubling not only because of the collusion to influence and damage another corporation, but because this has become a standard practice in the US.

      Koch Bros also “bought” attorneys general, to influence enforcement/non-enforcement of energy-related laws.

      And this may have been the reason why the Bush administration shit-canned (7) US attorneys–they removed those who were least friendly to their policies, or to their base’s needs for lax law enforcement.

      • qweryous says:

        An egregious oversight on my part that I missed your link to that.
        Remembering some of the recent uses of the All Writs Act and then reading this at the NY Law Review brings up some of the the possible “gap filling” utility of a tool like the All Writs Act in corporate hands. .
        If a person or entity had helped write and then enact legislation, it might even have a good idea where the gaps were. Close cooperation with an attorney general or two might help obtain some sort of justice.

  1. dakine01 says:

    Guess it is cheaper to buy politicians to change the laws to punish people than to pay a reasonable wage to fix security problems on their own.

    One of the memes going around is wishing that pols wore their sponsor logos on their suits like race car drivers. The problem with that is we would know just how cheaply the pols can be bought. /Harrumph Harrumph

    • Rayne says:

      I was told back in 2006 that to obtain the attention of the average US Senator would take about $5K. “Buying” a state attorney general must be much cheaper. That’s a bargain compared to wiping an entire network-load of computers and implementing a robust enterprise-wide security system.

      But this is yet another example of the corruption in our so-called free market economy, benefiting special interests as they avoid doing the right thing.

  2. P J Evans says:

    Sony’s passwords were in a password-protected file, and the password to this file was ‘password.‘
    But the first most ridiculous part of this massive assault on Sony is that Sony has been hacked more than 50 times in the last 15 years.

    The first line: that should have gotten whoever is allegedly in charge of network security fired with prejudice.
    The second line: that should have gotten all the network security people fired, preferably after the second time.

    I wouldn’t be surprised to learn that the stuff was coming in as innocent-looking e-mails that someone was sure to open.

    • Rayne says:

      There were multiple injections, and yes, some did come in as innocuous emails.

      Probably doesn’t hurt here to remind readers NEVER open unexpected emails with attachments. Most of our readers are smart enough to know better, but there’s always one person who might need a reminder.

      I don’t even open emails from my kids with attachments unless they contain a passcode in the subject. We change passcodes regularly, and we share the renegotiated passcodes in person.

  3. Peterr says:

    Rayne, I think you’ve got the makings of a fine movie script here. You’d need to polish it up a bit before you made the rounds of Hollywood studios to try to get it made, but you could probably get your pick of both actors and techies who would love to be part of it.
    You also need a snappy working title. How about “Password: Password”?

    • wallace says:

      quote’Not just the long heitory of beiung hacked, sitting on the other hand is this:…”unquote

      Fuck. Just when you think you have a grasp on capitalism….along comes the same evidence Tolstoy profered.

      • jerryy says:

        What passes for modern day capitalism bears little resemblance to the themes offered up by Adam Smith in his satirical essay “The Wealth of Nations”.

    • Rayne says:

      Blowback. Gotta’ love it. Serves ’em right; wouldn’t be surprised if this was an extended revenge by Anonymous, which had gone after Sony between 2009-2011, and they simply used the same approach with a fresh spin.

      • jerryy says:

        I am quite hesitant to think Anonymous did this one, because of what has been released. This one has a lot of innocent bystander types of things being put out there which is not really A’s style.

        • Rayne says:

          There’s been a message from the “Guardians” offering to opt out individuals who email name/title before Christmas — might be a concession to the “innocent bystander” types.

          The entire hack doesn’t fit the MO, but persons ID’ing as Anon members did launch DDoS attacks in 2011 over a lawsuit — that year was particularly bad for Sony.

          Anon is not a monolith; could be a faction torqued off at Sony, could also be a group of NK-sympathetic Anons, too. Just not enough info of any consistency to suss out a pattern to make identity.

          Edit: I should point out two factors suggesting NK-sponsored actors are at work — the first sweeping release of data took place almost 5 months to the day from NK’s complaint letter to UN; the next sweeping release is threatened on Christmas Day, also the release day of film The Interview.

  4. FrankQ says:

    What do you think will happen to Sony when the Guardians of Peace give the corporation their Christmas Gift? Give your opinions at Twitter SonyXmasGift until 25December. Don’t know how much more damage could happen. Should be interesting from an educational perspective.

    • Rayne says:

      No idea what the Christmas present will look like, if/when delivered. They’ve cost Sony money indirectly; my guess is direct loss, or a secret so very bad it would utterly destroy Sony’s standing in the U.S. market.

      Loss of five movies is already pretty bad as it is.

Comments are closed.