Monday Morning Quarterback – The Sony Breach

I am certain we will see a number of people comment on what Sony shoulda/coulda/oughta have done and there is likely some truth in all of them.  Here is one and my thoughts on it, from Data Breach Today.  This is from a blog post by Matthew Schwartz.  He makes 7 points, which I mostly agree with:

1. Failure to spot the breach – IF the hackers really got away with 100 terabytes of data as some people claim, it is hard to understand how they did not catch this.  The devil is in the details (like did the hackers send the data to the Amazon cloud or Dropbox or some other seemingly normal place), but companies should be spending some time and effort to watch outbound traffic and look for anomalies.

2. Poor breach response – I think Matthew is right on with this one but I completely disagree with the conclusion.  I think most company’s breach response plans are woefully inadequate and I have said before that I think that Sony’s definitely fell into this category.  Where I disagree is with the recommendation that they should not have pulled the release of “The Interview”.  First, it was not their decision.  When the 4 big movie chains decided to pull it, the release was gone.  Sure, they could have gone forward and released it on the remaining few screens, but the effect would have been no different.  If Sony said they were releasing it and the only place it was showing was in a second tier theatre or in a small town, people would still figure it out.  Where their lack of a plan came through was their back and forth, on again, off again decision making process.  That made Sony look bad or even worse than they already looked.   If they decided to try and force the issue and release it and someone, completely unrelated to the hackers, decided to bomb a theatre and there was injury or loss of life, the lawsuits would have been staggering.  Until you solve that legal problem, Sony had to kill the release.

3. Shooting the messenger – Hiring a big name law firm to threaten the media was just dumb – and likely a result of #2 above.  All it did was give Sony more negative attention and it did not stop anyone from publishing anything.

4. Contradicting themselves – first they said they were going to release “The Interview”, then not, then saying they always planned to release it.  Sony hired famous spin doctor, Judy Smith (adviser to George HW Bush and Monica Lewinsky, among many others), but that seemed to happen late in the game (mid December maybe).  This likely goes back to #2 – not having a plan.  Judy should have been on board on day 1 — since she should have been under contract already.  A company the size of Sony should have a media/PR expert already under contract as part of their breach response preparation.  It doesn’t cost very much to have someone like that on retainer compared to what it did cost them after the fact, both in dollars and reputation.

5. Ceding Control Of the Conversation – After the hackers published the emails of several Sony executives and made the executives look bad, Sony looked like a deer in the headlights.  Going back to #2 and #4, I think they had and “Oh, S**t” moment.  Lack of planning caught them unprepared and as a result, left the hackers in control of the conversation.  In a vacuum, the media goes with what they have.

6.  Failure to take responsibility – Amy Pascal, head of SPE, told Bloomberg that it was nobody’s fault at the studio.  Sure, it was not her PLAN to do this, but ultimately, it certainly is her responsibility.  Hopefully, the Board of Directors has already corrected that confusion on her part.

7. Hoarding Old Emails – Actually, I would say hoarding old data.  They had social security numbers (in plain text in spreadsheets) for 50,000 employees.  They don’t have 50,000 employees.  Bloomberg, in March 2014, reported that SPE had 6,500 employees world wide and were about to make cuts to improve profitability.  How far back does that data go?  A data retention policy is important not only in the case of a breach, but also in case of a lawsuit.  Hackers cannot steal data that does not exist.  If you need to retain it for legal reasons, keep it in a virtual or physical vault.

My Conclusion – It seems to me that the lack of a plan was probably their number one problem.  Their number two problem was not effectively managing (controlling) the data that they did have.  Given that they have been hacked several times before, the lack of a breach response plan is an epic-fail and should be a resume-generating event.  The responsibility lies squarely with the Board of Directors and on Amy Pascal and Michael Lynton, the co-chairpersons of Sony Pictures.  I wonder if there will be some vacancies at SPE in the near future?