Months before the hacker intrusion on Sony Pictures' network, analyst firm PricewaterhouseCoopers (PWC) performed an analysis on the company's security, and found it lacking. More than 100 devices were found to be unmonitored by corporate security following an incomplete transition from a private security firm to an in-house team. As a result, any Sony response to network intrusion would be, in the words of the auditors, "slow, fragmented, and incomplete, if it would even happen at all." However, corrective actions proposed by PWC seemingly went undone, which left the doors to the company open, sometimes literally, facilitating the attack.
Hackers thought to be operating out of North Korea took over and raided large portions of Sony Pictures' internal computer systems, and have been slowly releasing
films, internal memos and emails, focus group studies and other material ranging from banal to sensitive for the studio. The group even posted sensitive
financial and personal details of 47,000 employees, vendors, and actors who do or have worked for the company as far back as 1955. Last week, things took a turn for the sinister, when many employees who's information was leaked received a
threatening email (though the GOP later denied they were behind that).
Sony had moved from a third party to in-house security teams in September 2013. The transition was anything but smooth, with the 100 devices cited by PWC not properly turned over to the staff. Most of the unmonitored, and unpatched, devices were web servers and managed routers.
The analyst firm warned Sony Pictures of the problem, saying that "security incidents impacting these network or infrastructure devices may not be detected or resolved [in a] timely [fashion]" on September 25. Ironically, the security evaluation was released in the hack group's last data dump.
Ex-employees confirm the lackadaisical attitude toward Internet security. One employee reported to
Fusion that "one of our Central European website managers hired a company to run a contest, put it up on the TV network's website and was collecting personally-identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network in a cafe."
Security firm Mandiant was hired to assess the damage and scope of the penetration by the GOP hacking group. Mandiant CEO Kevin Mandia told Sony Pictures that "the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well-planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared."
Corrective actions as a result of PWC's analysis were promised to be completed by October 31, 2014. There is no evidence that anything was actually completed by the in-house security team. Despite Mandiant's assurances to Sony that nobody could have been prepared for the attack, it is clear that Sony failed to perform even the most basic due diligence to prevent the breach.
Another former employee says that corporate culture is the root cause of the security lapses. He noted that the real problem with Sony Pictures' network security was "there was no real investment in, or real understanding of what information security is," pointing to the vast amount of sensitive data gleaned by the hackers that was stored unencrypted. Employees of Sony Pictures for the last 15 years were listed in the leaked documents. Sony's offer of credit monitoring and identity theft protection does not extend to former employees at this time.
The GOP is spreading word of a "Christmas gift" release of more data. A PasteBin post claims to contain "larger quantities of data" saying that "it will be more interesting. The gift will surely give you much more pleasure and put Sony Pictures into the worst state." The GOP claims that employees can "opt out" of the upcoming data release that may involve them, but they have to email the group to make this happen.
Angelina Jolie with Sony Pictures' Anne Pascal last week, after unflattering emails were leaked by GOP.