A lot has changed since 2011 when it comes to cyber-security. There have been a host of new threats (from both inside and outside sources) along with new methods and technologies to combat them. One thing that hasn’t changed: hackers are still targeting Sony.
In 2011, their PlayStation ecosystem suffered one of the worst breaches in history, in which the information from 77 million customer accounts was stolen, resulting in a month-long outage. It was unprecedented at the time – and it appears as though history might be repeating itself.
Multiple outlets are now reporting that Sony Pictures has been hacked, blackmailed and brought to a virtual standstill as a result of a group identifying themselves as #GOP – Guardians of Peace. Yesterday, employees of the company encountered a bizarre message (a list of demands, actually) on their screens when they attempted to log in. The Verge reports:
…computers at the company have been completely unresponsive, showing a glowering CGI skeleton, a series of URL addresses, and a threatening message from a hacker group that identifies itself as #GOP. Dozens of Sony Twitter accounts were also commandeered to tweet out similar messages, although Sony seems to have regained control of those accounts.
While it remains unclear as to how they hacked the company (to most people anyway, more on this in a minute), reports have confirmed that the group obtained a number of “sensitive” documents in a .zip file. The report continues:
The documents named in the .zip file are widely varied, suggesting the attackers pulled the full contents of an employee server. Dozens of podcast mp3 files are named alongside potentially sensitive records and password files, the latter of which would explain how the group was able to commandeer so many Twitter accounts at once.
It’s speculation on our part, but it seems almost guaranteed that we are looking at a user-based attack, where the credentials of a Sony employee (or maybe even a contractor) – with access to a number of sensitive business files – was obtained by an outsider, perhaps through a weak password or a social engineering ploy.
Sony is currently (and obviously) investigating the matter, but very few details have emerged thus far. Until they do, here are few items every security-minded company should note:
- Defining Sensitive Files: Is the data stolen from Sony subject to HIPAA, PCI or some other government regulation? Not likely. Thus, it’s important to remember that just because data isn’t subject to these requirements, doesn’t mean it should be considered highly sensitive. Any type of data – emails, business plans, movie scripts, etc. – can become the target of hackers.
- Third Party Discovery: Unlike this instance, most companies never learn about a data breach, or, learn about it months after the criminals first enter. It’s only in rare cases when they hackers themselves are the ones to bring it to light (via blackmail). It’s important for every company to make sure that if a breach happens, they are the first ones to know about it.
- IT Forensics: This is obviously a legal matter now, but it’s safe to say that the police will have little luck gathering evidence. They have neither the time nor the expertise. We hope that Sony – like our customers – has a system in place to quickly identify what actions were taken, when and by whom.
We’ll be keeping a close eye on this story going forward, and like Sony, we hope that this matter is resolved quickly!
In 2015, the biggest security risk to your company will be your users. Understanding this risk and making sure your security solutions are equipped to meet it will be vitally important. If you are looking to improve how your company meets user based threats, check out an EMA report: Mitigating User-Based Risks.