After hackers leaked a trove of purportedly stolen data from the corporate computer systems of Sony Pictures Entertainment, executives at the movie studio were faced with more than just a public relations crisis.
For years, Sony had avoided every company’s worst nightmare, the kind of thing you’d expect to see only in a Hollywood blockbuster: A digital attack so crippling it disrupts the normal course of business and throws the company years, perhaps even decades, into the past.
Sony’s avoidance was less one born of preparation and more something credited to luck. The studio had only ever found itself the target of a cyberattack once in its recent history cyber pranksters usually focused their attention on other Sony properties, like the PlayStation gaming network that had twice before been disrupted by hackers.
So it caught everyone off guard when employees first detected they’d been hacked in November 2014. A group of alleged cyber thieves identifying themselves first as “God’s Apostles,” then the “Guardians of Peace” and later the “GOP” began leaking a huge amount of digital data purportedly stolen directly from the computer networks at Sony, a smash-and-grab campaign that was months in the making.
The leaks came in waves initially limited to sensitive business and employee records, like medical transactions and Excel spreadsheets of usernames and passwords. Eventually, it escalated to embarrassing the contents of e-mail accounts used by Sony executives were dumped online. In doing so, hackers pulled back the curtain on a culture so prevalent in the corporate world that had before been forced into transparency. Exposed were the cozy relationships, the personal attacks, the politically incorrect jokes, the office gossip and the secret deals for everyone from Hollywood to the media and anyone in-between with a BitTorrent client to examine and disseminate.
It was an image disaster at the highest levels, one that Sony executives expectedly and profusely apologized for both internally and externally. But the attack also highlighted a major impairment at Sony, one that is found at many large organizations: The company had no plan to handle a digital disaster of this or any magnitude.
Sony’s Self-Imposed Scary Situation
“There is no playbook for us to turn to,” Sony chief executive Michael Lynton told employees. The company suddenly found every Internet-connected computer on its premises from the Sony-branded Android phones executives used on a daily basis to the “smart” copy machines run mainly by the interns were no longer an asset. Each was a liability, something that might add to the studio’s problems as hackers continued their relentless disclosure of sensitive data in the days leading up to Christmas.
Sony’s solution was to hastily arrange a postmortem attack plan that would allow the company to communicate internally while trying to conduct business externally. Instead of instant messaging, employees sent text messages to each other using a crudely designed paper phone tree. Unable to make electronic direct deposits, employees were given checks printed on antiquated machines that had sat in storage for years. Some 6,000 employees ditched their corporate laptops for notepads and sent sensitive business e-mails using their personal Gmail accounts after their corporate accounts were compromised, while executives set aside their Sony Xperia Android phones for old BlackBerry devices recovered from a basement on the lot (the presumption was that the e-mails would be more secure since they are transmitted through BlackBerry’s own servers).
The lack of a response plan almost certainly added to an already-troubling situation at Sony. “It took me 24 or 36 hours to fully understand this was not something we were going to be able to recover from in the next week or two,” Lynton said in an interview with The Wall Street Journal.
Worse, because Sony had failed to implement an adequate plan to prevent the attack (a security expert for the studio once said he was not interested in spending $10 million in resources “to avoid a possible $1 million loss”), hackers were able to collect large amounts of sensitive documents and other data for months, then destroy their tracks before announcing their intention to release the data.
Did North Korea Really Orchestrate Sony Hack?
The latter has made it incredibly difficult for federal investigators and cybersecurity firms to determine exactly who is responsible for the compromise. Although the FBI has publicly blamed North Korea as an instigator behind the attack the compromise was largely speculated to be motivated by the forthcoming release of “The Interview,” a comedy that stars Seth Rogen and James Franco and depicts the fictitious assassination of the country’s leader a security firm hired by Sony in November found it nearly impossible to retrace the exact steps of the attack, according to the WSJ. And while malicious code examined by the FBI and security experts seemed to point to North Korea as culpable in the attack, other researchers familiar with cyber intrusions note that the evidence is largely unreliable because of just how easy it is for malicious actors to disguise their actions and themselves by manipulating code.
The attack has already had an adverse effect on Sony Pictures’ business. The studio announced it would not go forth with a planned Christmas Day release of “The Interview” after large movie chains said they would not screen the film in theaters. After public criticism, Sony Pictures partially reversed its decision, announcing it would release the film in a handful of independent theaters and on various online platforms.
The film sold online for around $15 with an option to rent for one-third the price. Online rentals and sales of, something that excited Internet technophiles who hope to prove that digital media releases are the next big thing.
But what Sony recovered in online sales was a mere drop in the bucket for a legacy film studio that is used to seeing much more cash when a film is released in theaters. Sony, which spent $45 million to produce “The Interview” and had another $30 million earmarked for promotional considerations, hardly sees the online demand for the film as something worth celebrating.
There is no doubt that Sony is the victim of one of the worst private-industry computer intrusions in history. At the same time, Sony is not excused of the responsibility it had to protect the private information of its employees and the sensitive business dealings that have now cost the company more than its reputation. To that, Sony is not a blameless party its consideration of cybersecurity was almost an invitation to be hacked, one that still-unknown malicious actors were more than happy to accept. And in almost every way imaginable, Sony executives demonstrated what not to do in the days and weeks that followed the nightmare.
That Sony executives were able to throw together a plan in the interim isn’t something to be admired. It should serve as a warning sign to every company in America that conducts many functions of its business on an interconnected digital platform: Don’t assume the worst won’t ever happen to you and have a plan in place just in case it does.
Matthew Keys is a contributing journalist for TheBlot Magazine.