A law firm hired by Sony Pictures Entertainment has warned media outlets not to report on documents and other material allegedly stolen from computers at the center of a massive cyberattack targeting the studio.
Attorney David Boies distributed a three-page letter to various news organizations asserting Sony’s privilege with respect to the stolen data and warning that the company “does not consent to your possession, review, copying, dissemination, publication, uploading, downloading or making any use of the [data].”
The New York Times, The Wall Street Journal, Bloomberg News and the technology news website Re/Code were among some of the outlets that acknowledged receiving the letter. Re/Code published a near-unedited copy of the letter online Sunday afternoon.
The cyberattack against Sony is widely believed to be in response to the studio’s planned release of a film depicting the fictitious assassination of North Korean leader Kim Jong-un. Suspicion has fallen on hackers aligned with or sympathetic to the North Korean regime; various North Korean leaders have denied the country had any direct involvement with the attack, though a government spokesperson praised the compromise as “righteous” late last week.
The letter distributed on Sunday was the first acknowledgement by Sony’s representatives that the attack was carried out “explicitly seeking to prevent [Sony] from distributing a motion picture.” The letter did not say which motion picture was being targeted, nor did the letter say how Sony or its legal representatives became aware that the film was the motivation behind the attack.
Boies called on news organizations to destroy “all copies” of allegedly stolen data that might be “protected under U.S. and foreign local doctrines,” including copies of letters, presentations and other documents that the company considers privileged under attorney-client protections and laws dealing with financial information and other trade secrets.
The letter warned that Sony would hold media outlets responsible if they continued to report on information gleamed from the compromised data. Boies also wrote that the letter was sent “without prejudice and does not purport to address all facts and issues concerning the stolen information,” leaving open the possibility that Sony may seek legal action against news organizations who have already reported on information derived from the data.
It is unclear how news organizations will respond to the request. A Wall Street Journal spokesperson declined to comment to the paper. A Bloomberg spokesperson also declined to comment when asked by a reporter at its outlet. The New York Times did not say whether or not it had access to the purportedly stolen data, but acknowledged the paper had filed stories based on other media reports.
Sony’s security boss Jason Spaltro once said the company had adequate-enough security, but its fourth breach in three years is one of the largest cyberattacks in history.
The November compromise involving Sony’s film wing is the fourth disruptive cyberattack against the electronics giant in the past three years. Earlier in the month, Sony’s PlayStation network was knocked offline for millions of users after a hacking group flooded the service with traffic, a technique commonly known as a “distributed denial of service” attack.
In 2011, both Sony Pictures and Sony’s PlayStation network were involved in similar incidents.
But the latest compromise to hit Sony is by far the largest and most damaging. According to media reports, hackers gained access to sensitive employee information, including salary logs, medical records, password databases and seemingly-confidential e-mails in which Sony film executives made unflattering remarks about actors and other high-profile individuals.
Hackers also managed to leak around a half-dozen company films online, some of which had yet to be released in theaters.
The New York Times reported Sunday that Sony had hoped competitors would voice their support for the film studio nearly three weeks after the compromise was first publicized, but attempts to rally such support have fallen flat. Company itself has remained relatively silent on the issue, which the Times suggested could be partially to blame for the lack of support from peer studios.
Speaking on background, some past and present Sony employees have been critical of the company for its lackluster digital security over the past several years, with one employee calling Sony’s information technology team a “complete joke.”
“We’d report security violations to them and our repeated reports were ignored,” the employee told the news startup Fusion, echoing a sentiment repeated in other media accounts on the Sony attack.
A recently rediscovered profile on Sony’s head of information security Jason Spaltro has stoked the fire of criticism: In the profile, Spaltro suggested the company was doing the bare minimum to thwart a million-dollar cyberattack and that investing additional capital and resources was an unnecessary expense.
“It’s a valid business decision to accept the risk (of a cyberattack),” Spaltro told CIO Magazine in 2007. “I will not invest $10 million to avoid a possible $1 million loss.”
Spaltro has since been promoted at Sony and continues to work on information security matters there.