Sony brass might be licking their wounds today, or trying keep their blood from boiling, after reading Fortune’s new cover story about last year’s cyber attacks. The magazine published a lengthy piece by Peter Elkind — which includes material from private emails stolen and made public by cyber attackers –that surmises that Sony was so focused on cost cutting that it “failed to employ several basic safeguards” to protect its network and “didn’t put up much of a fight” once hackers breached its system. Sony Pictures execs and others also neglected warnings that a fictional depiction of an assassination of North Korean leader Kim Jong-un in the studio’s comedy The Interview might invite a hack attack.
Fortune also paints an unflattering picture of Sony Pictures, describing it as “a deeply unhappy place, beset by pressures over disappointing profits, cost cutting and layoffs, the scorn of an activist investor, and tribal infighting.” The article doesn’t really break that much ground, and claims moral high ground for its liberal usage of correspondence from cyber-terrorists by stating it is providing a cautionary tale for the rest of corporate America which either hasn’t been hacked or doesn’t know it has. Elkind acknowledges that there was “no way to know” whether Sony could have stopped the attacks, but writes the corporation “had ample reason to have bolstered its defenses” following multiple previous attacks that made the company “a virtual pinata for cyberassailants.”
He added that the unprecedented hack and its fallout offered “lessons [that] apply to every company….This one hit home because it showed how attackers could steal even executives’ most precious secrets — and bring a company to its knees.”
Sony told Fortune that the suggestion that it “should have been able to defend itself against this attack is deeply flawed and ignores essential findings and comments made by the FBI and [Sony’s cybersecurity consultant] Kevin Mandia—the two parties most knowledgeable of the nation state threat and the evidence in this investigation.”
Sony had sought to fortify its protections after 2011 when hackers hit its PlayStation Network — disclosing millions of users’ personal information including credit card numbers. CEO Kaz Hirai apologized, and the company hired former Department of Homeland Security cybersecurity chief Philip Reitinger to tighten things up. But execs were “more afraid of the costs than the risks,” according to Fortune. Sony’s Information Security SVP Jason Spaltro is quoted as saying that he “will not invest $10 million to avoid a possible $1 million loss.” And when the company tried to limit email storage to two years from seven, the magazine says, “howls of protest erupted at the studio.” Reitinger left in mid 2014.
Sony told Fortune that its experts “gave no hint or warning of the possibility of a cyberattack” tied to The Interview. That is similar to what Deadline was told last December when we investigated assertions that Sony, not considering IT to be an important revenue generator, cut manpower several times. That left disgruntled former employees who could have helped hackers either by offering inside knowledge, or by leaving open a back door, while Sony outsourced some of its IT operations.
Elkind quotes one of the experts who the studio consulted, Rand Corp. North Korea specialist Bruce Bennett, saying that he indicated it was “a possibility.” Rich Klein, a Washington-based consultant who helps Hollywood with “sticky geopolitical problems,” says he told filmmakers Seth Rogen and Evan Goldberg that “everybody involved in this had to protect themselves—the studio and the filmmakers.” He added that it was “surprising to me that there wasn’t a more robust sense of alarm and caution.”
The magazine states that when hackers first breached Sony’s systems in September, they “roamed freely” through Sony Pictures computers, finding a treasure trove of confidential and potentially embarrassing information. The studio “didn’t segregate or provide extra security for even its most precious secrets.” Unencrypted emails were used “for long-term storage of business records, contracts, and documents saved in case of litigation.” Among the unprotected documents were spreadsheets with titles such as “Computer Passwords” that included IT administrators’ user names and passwords.
Attackers ultimately erased nearly half of Sony’s personal computers and more than half of its servers — and destroyed their start-up software. Sony mouthpieces disputed some of the magazine’s assertions that it could have done more to prevent the breach.