When-hacking-gets-personal_SQHere’s what we know. Earlier this month, hackers known as the Guardians of Peace breached Sony Pictures Entertainment’s network, gaining unprecedented access to essentially everything. They took emails between studio executives; salary information for employees and actors; scripts for upcoming movies; PII and performance review data on Sony employees, and digital copies of movies yet to be released.

The attackers may have been state sponsored from North Korea or China, hacking Sony in response to the movie ‘The Interview’, due to be released later this month. A comedy about an assassination attempt on the North Korean leader Kim Jong-Un, it is completely believable that North Korea would take exception to this, but it could also be a ruse designed to shift focus to an obvious perpetrator.

What happened?

The story is still coming together, and much of what we know has not been confirmed, but it seems that the hackers gained access to Sony Entertainment’s network late last month or early this month. Some reports indicate that the original data stored on Sony systems was destroyed, but that has not been confirmed.

Who did it?

Based on the obvious tie-in to ‘The Interview’, many are speculating that state-sponsored hackers from North Korea, or perhaps operating out of China, are responsible, but that has not been substantiated at all, and many security experts question this. The sophistication of the attack, the apparent inside-knowledge used to perpetrate it, and references to layoffs from last year make it seem at least plausible that this could have easily involved former employees. The FBI is investigating.

How does this impact Sony?

Whoever the hackers are, and whatever their motivations, Sony has some pretty significant problems. Sony was already rocked by a hack into the Sony Playstation Network that compromised information on tens of thousands of their customers a few years ago, this attack clearly shows that the perpetrators gained full control of Sony’s network. But that is only the tip of the iceberg.

Terroristic threats against the theatre set to premier the movie, as well as more general threats against any theatre playing the movie, have led some of the major US cinema chains to decide not to carry the movie at all. US moviegoers are talking about avoiding movie theatres out of abundance of caution. Sony had indicated that individual theatres can choose whether or not to show ‘The Interview’, but the New York Times said that Sony has cancelled the release of ‘The Interview’. Whether the movie will be shown on big screens, or even released to DVD is still up in the air.

There are reports that the internal networks within Sony Entertainment were down for days. Data was destroyed, and users’ systems were displaying threatening messages. In at least one case, a threatening message mentioned the September 11, 2001 terrorist attacks against the United States. That threat is anything but veiled.

But wait, there’s more

Hacks against companies are not exactly unprecedented. We already know that personal emails discussing Hollywood Stars have been released, as well as financial data on executives that calls into question whether Sony pays equitably or has bias towards gender or race. PII that is compromised unfortunately usually involves customers rather than employees.

But in the Sony attack, the Guardians of Peace have not only promised to release significant and damaging information on Christmas day, they have apparently made more demands of Sony that have yet to be made public but are due to be met by Christmas Day or Sony will face worse consequences and more data will be released.

The attackers are specifically inviting Sony employees to email them with their name and title if they don’t want to be included in whatever data is yet to be released. That has to leave Sony employees very worried about what was taken, and wondering how this could happen. At least two Sony employees have already filed lawsuits against their employers for failing to protect their personal data, including social security numbers. Employees have to wonder just what was on Sony’s servers that could lead to issues with credit fraud, identity theft, and worse. Most employers has everything they need within HR systems that anyone can use to commit identity theft, and it is fair to say that this is the same for the employees of Sony Entertainment.

The loss of revenues from the cancellation of ‘The Interview’ must hurt, but the loss of confidence from employees must hurt more. Employees should be able to trust their employers to safeguard their information, and in this case, it appears Sony failed to do this. Sony is not helping itself either, by threatening both arrests and lawsuits against journalists and security professionals investigating the hack and accessing what stolen data has already been posted online.

What happens next?

That remains to be seen. This is a developing story, and much can happen as we approach the Christmas deadline set by the hackers for Sony to meet their demands. Security experts, sysadmins and the public will all be watching as the story unfolds. What they won’t be watching is a Christmas Day blockbuster that Sony had to be banking on to close the year strongly.

What are the lessons learned here?

There are many that we can glean even with the lack of information or disclosure by Sony. First, intrusion detection is key. Segregation of critical data from Internet-connected networks, encryption of email databases and encryption of sensitive emails could also reduce data leakage. Protecting employees should have been Sony’s first response, providing credit monitoring to all employees immediately rather than trying to go after journalists would not only be the right thing to do, it would preserve some trust employees had for their employer.

When attackers go after a company’s network, it is unfortunately a far to frequent cost of doing business in an Internet-connected world. When they go after a company’s employees, it’s personal, and companies have a responsibility to protect their employees’ PII, and to respond appropriately and immediately when anything threatens them.