CORRECTION: I said below that the hackers stole 25 GB of data. According to CSO Online, they RELEASED 25 GB of data and this is only a fraction of what they stole.
UPDATE: Brian Krebs (KrebsOnSecurity.com) is now reporting additional information:
- The attackers stole 25 GB of data
- The malware destroyed data on an unknown number of internal servers (as I suggested below)
- The reason that employees were told to turn off their computers and disable Wi-Fi is that the malware destroys the Master Boot Record and wipes data on infected computers
- One spreadsheet being floated around includes the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees
- Another spreadsheet contains the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals.
- Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data
Assuming all this is true, then we are dealing with California privacy law (SB1386 and its relatives) as well, potentially, as HIPPA violations, bringing the Department of Health and Human Services’ Office of Civil Rights into the picture. Both of these could bring large fines (HHS OCR can levy fines of up to $1.5 million per violation and they get very creative on what a violation is – could be as much as each record being a violation).
On a side note, Target has said that their costs for last year’s breach is now $250 Million and that there won’t be any other material costs. I assume this does not include any fines or judgements – that would be extra – since none of the cases have come to trial and the regulators have not said anything that I am aware of.
The good news just keeps on coming for Sony.
The most important takeaway from this is “How would my company deal with our version of this scenario?” If the answer is not “Effectively, thank you!”, then there is work to be done regarding business continuity and disaster recovery.
- The FBI released a confidential alert to businesses and requested it be distributed only on a need to know basis. In only a few hours, Redmondmag.com published the details of it (this is why the Feds like to classify stuff. If you publish something that is classified, you can go to jail for a long, long time – even if you claim freedom of the press. Espionage laws trump that most of the time). The gist of what was reported is that the malware wipes systems and overwrites data files making recovery very difficult, expensive and likely impossible to recover, except from backups.
- On December 1st a spreadsheet was released with the salaries of the top 17 Sony Executives who make $1 million or more. The spreadsheet also included names, job titles, home addresses, bonus plans and current salaries.
- Sony is trying to find the miscreants who did this, of course. It has been leaked that they have hired the cyber security gurus from FireEye’s Mandiant division. My guess is those folks are helping to figure out how the attack took place and how to clean up the debris, as well as looking for any clues as to the source of the attack.
- If the source of the attack is North Korea as speculated, then that is mostly a dead end. If it was them, it was likely government sanctioned and I don’t think anyone is ready to invade North Korea over this. Apparently, some of the software used in the attack was compiled in Korean.
- Supposedly some business systems are back online, but Sony has not released any details. How much work is left is unknown.
- Sony is set to release two big budget movies this month (Annie on December 19 and The Interview on December 24). Even if Sony manages to prop up the systems needed for the release process, the distraction of the executives, the inability for the majority of the staff to operate normally and the media’s attention on Sony’s inability to keep their networks secure coulf have a negative effect at the box office. On the other hand, some people say there is no such thing as bad publicity. Only time will tell.
- How much is all of this costing Sony – no clue yet.