Sony hack

The breach at Sony Pictures is no longer just an IT issue

The full scope of the incident isn't clear, but the early fallout is nothing but bad news

Binary bomb with a lit fuse code developer security programming
Credit: Fotolia / Thinkstock

I'm going to make a prediction.

The breach at Sony Pictures has nothing to do with North Korea, aside from the fact that the destructive malware believed to be present on Sony's network is similar to the malware used in South Korea in 2013 - an incident that was blamed on North Korea.

Furthermore, I predict there will be an insider aspect to Sony's breach. The first part of the attack on Sony centered on compromising records, once done, the attackers planted malware that was timed - based on the FBI memo - to activate just before Thanksgiving. The easiest way to accomplish this task - assuming I'm right - is by having someone on the inside with just enough access that everything looks normal with a passive glance at the logs.

The second part of the attack on Sony is the aftermath, including the financial burden of dealing with box office losses, employee issues, as well as any fines that are sure to be levied. Sony's just starting to enter this phase.

On Monday, GOP (Guardians of Peace), the group claiming responsibility for the attack on Sony, pushed 25GBs worth of data to the public domain. They say this is only a fraction of the data they were able to compromise, suggesting to one media outlet that they were harvesting records for more than a year before making themselves known.

A year.

That's a long time when it comes to a data breach.

The thing is - this incident is no longer about IT or Information Security. This breach impacts every business unit at Sony and teaches an important lesson that stresses a major sticking point: any asset can be compromised.

Sony didn't just lose PII or financial records. Sony lost their business models and their revenue generating assets. It's bad enough that employee records and financial data was compromised, but compounding that is the loss of sales and marketing plans – the core of their bottom-line.

Worse, because yet-to-be-released movies were compromised and leaked to the Web, Sony has another significant loss to deal with. This loss is one that not only impacts the bottom-line, but also becomes a serious corporate issue, because they'll have to answer to the shareholders if the movies tank when actually released.

All last week, and over the weekend, I talked to various C-Levels who were watching the Sony news cycle. Discounting the North Korea rumors, most of them were interested in how this would impact overall operations.

In some cases, data breaches are expected, but seeing the sales funnels leak to the public, followed by strategies, internal policies, and IP – Sony's problems became a serious sit-up and take notice type of event.

Sony has their network back, but that's not the end of the situation. We're going to see the fallout from this incident last long into 2015.

To give a better idea of what was compromised at Sony; here's a brief overview of just some of the documents released this week:

There are more than 30,000 HR documents. Most of them are what you'd expect to see from HR, including rules and regulations, records of meetings and day-to-day management stuff, but there's also a number of highly sensitive records.

PII:

The HR documents contain personal and internal employee information including names, addresses, phone numbers, birthdays, Social Security Numbers, and email addresses.

There are also criminal background checks, offer letters (salary and job details), as well as records related to personnel reviews and opinions within HR. There are termination letters too; not many, but enough to learn that managing union and non-union employees can be a headache.

Financial:

The HR documents include a number of financial records, from accounting and expense reports, to wire transfer requests. Financial details include account and routing numbers, institution name, and employee name.

There are also records of promotion requests, salary requirements, salary caps, etc. Given the files, it looks as if a majority of the records related to payroll and compensation for FY14 / FY15, and some previous years, has been compromised and leaked.

Healthcare:

There are hundreds of healthcare forms within the collected HR documents. However, it isn't clear if these are enrollment only, or if PHI has been compromised as well. Sony has Business Associate Agreements with at least six different companies, so there's hope the group responsible for the attack didn't get access to PHI. If they did, it wasn't leaked on Monday.

(Sony falls under HIPAA, and has extensive training documentation enforcing the importance of protecting healthcare data.)

Active Global Employee:

There are several lists of employees with internal data among the documents downloaded. Depending on how current the records are, a social engineer has everything needed to launch an attack – especially when the HR templates are added to the equation.

This brief list doesn't even scratch the surface of the data published by GOP. Again, this is no longer an IT / Information Security issue, the entire company has been touched by this attack.

This is a chaotic nightmare. It's the worst possible outcome for an enterprise during a security event. (Yes Raf, I said it. You were right, I just waited a few days before reality kicked in.)

Think about it - any plans that were on the network for new business, existing business, staffing, talent, etc. Sony has to assume those are all compromised, and if they were business critical, they'll need to be altered immediately.

How do you recover from something like this? I mean, truly recover? Is it even possible?

Chime in and share your thoughts below, or feel free to email me.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.