Tag Archives: Sony

Security News for the Week Ending December 24, 2021

Russian Hackers Make Millions by Stealing SEC Earning Reports

A Russian hacker working for a cybersecurity company has been extradited to the U.S. for hacking into the computer networks of two SEC filing agents used by multiple companies to file their quarterly and annual SEC reports. Using that insider information, the hacker traded stock in advance of the earnings being made public and earned millions. The hacker made the mistake of visiting Switzerland. I guess he figured that the U.S. did not know who he was. He was wrong. Credit: Bleeping Computer

Security Flaw Found in Popular Hotel Guest WiFi System

I always tell people not to use hotel guest WiFi systems because they are not secure. A researcher says that an Internet gateway used by hundreds of hotels for the guest WiFi are not secure and could put guest personal information at risk. The gateway, from Airangel, uses extremely easy to guess and hardcoded passwords. You can pretty much guess the rest. Credit: Tech Crunch

Feds Recover $154 Million in Bitcoin Stolen by Sony Employee

The U.S. has taken legal action to seize and recover $154 million stolen from Sony Life Insurance by an employee in a very basic business email compromise attack. The funds were supposed to be transferred between company accounts but were diverted. The hacker was not very smart, was in a country friendly to the U.S. (Japan), used a U.S. bank account and a Coinbase Bitcoin account, making it pretty easy to recover once found. The FBI managed, somehow, to obtain the private key for the hacker’s Bitcoin wallet, which made recovering the funds even easier. What the FBI has not disclosed is how they were able to recover the private key, probably because they do not want to disclose methods. Score one for the good guys. Credit: Bleeping Computer

Former Uber CSO Faces New Charges for Breach Cover-Up

Here is a tip about covering up a breach. Joe Sullivan, Uber’s Chief Security Officer between 2015 and 2017, faces more charges of covering up Uber’s breach. This time it is deliberately covering up a felony, which could bring him 8 years in prison and a $500,000 fine. Knowing Uber, they are probably not paying his legal costs. Moral: don’t lie. Credit: Data Breach Today

Russia Surging Both Tanks and Cyberattacks on Ukraine

In addition to moving 175,000 soldiers to the Ukraine border as Ukraine plans to join NATO, Russia is also stepping up cyberattacks on Ukraine’s financial system and critical infrastructure. In response, the US, UK and other friendly (NATO) countries have sent cyber experts to Ukraine to help defend their digital frontier. What war looks like now. Credit: Data Breach Today

Do We Really Know How Successful Hackers Are? No!

As we see the news of attacks day after day and think “can it get any worse?”, the reality is that likely, it is much worse than we think.

Buried in the mass of data that was released by the Sony hackers were some emails from VP of legal compliance Courtney Schaberg telling some people inside the company, including chief counsel Leah Weil, that Sony had another hack, that credentials had been obtained by hackers, the accounts were now disabled, that the attackers uploaded malware and some data was compromised.

A follow up email describes the data that was taken along with an assessment that Brazil, where the attack took place, does not have a breach notification law although they have other privacy related laws.

The email, labelled Privileged and Confidential, goes on to say that she recommends against telling people that the data was compromised because the law doesn’t require it, that data taken wasn’t terribly sensitive and telling the people who’s data was hacked wouldn’t help them much in mitigating the damage.

Part of the logic in deciding whether to disclose or not was whether the media would out them.  In this case, the Brazilian media had not mentioned Sony by name after a reporter contacted them, so maybe they could squeak by.

In the U.S. only certain kinds of breaches (such as credit card data and health care data, among a few others) REQUIRE disclosure and even then, many of the laws allow the businesses to decide what the risk of the compromise is to the victim in deciding whether to tell people that their data was hacked.

In the absence of a Federal law requiring all companies to fess up to breaches all the time, breaches will be under disclosed.  After all, disclosing a breach that a company might be able to sweep under the rug will definitely cost the company more money and cause more problems, including lawsuits.

As a result, in addition to those breaches where the company doesn’t realize they have been hacked, there are likely many other breaches that go undisclosed following this very same logic that Sony used.

What percentage of the leaks are disclosed?  No one knows.  But probably way less than we think.

Information for this post came from Gawker.

Sony Agrees To Pay Employees $5 Mil – Sort Of

Billboard is reporting that Sony and the employees suing them as a result of the breach last year have come to a tentative agreement.  The employees were suing for negligence and privacy violations.

If the settlement is approved, The employees will get $2 million – up to $1,000 each – for preventative measures taken against identity theft.  The lawyers will get $3.5 million.

In addition, Sony is paying for identity theft protection for two years and $1 million in identity theft insurance.

Additionally, Sony will pick up another $2.5 million – up to $10,000 per employee – for unreimbursed losses as a result of the breach.  Note that this is likely not going to be touched, so it doesn’t really count.

Why will this not be touched?  Two reasons.  First, losses on credit cards will be eaten by the banks and credit card associations – your liability, at most, is $50.

Second, and this is pretty novel, Sony is saying that with the Target breach, the Home Depot breach and many others, you need to prove that the unreimbursed loss was as a result of the hackers stealing your information from us and not one of the other breached sites.  That is pretty much impossible to do.

If the judge approves this – and it is not clear that he will – who wins is the attorneys.

From Sony’s standpoint, spending $5 million plus attorney’s fees is way cheaper than actually protecting the information.  Of course they have lots of other expenses – fixing the breached systems, lost business, film revenue, etc., but a lot of that is covered by insurance.

Sony’s former director of information security said “it’s a valid business decision to accept the risk’ of a security breach…I will not invest $10 million to avoid a possible $1 million loss.”

What we don’t know and will likely never be disclosed is whether Sony loses some picture deals as a result of the rather caustic comments attributed to their executives in leaked emails.

And there still could be shareholder lawsuits and other non-employee suits.

Information for this post came from Billboard.

Sony Breach May Break Even More New Ground

Everyone knows  that the Sony breach was different than, say, the Target or Home Depot breach because of the damage that Sony is still, 10 weeks later, trying to recover from.

But now, the insurance experts are adding yet another wrinkle – thanks Sony.

According to the Hartford Courant, Sony may break new ground in the insurance world too.

Cyber insurance policies tend to be a bit vague on coverage in case of acts of war or terrorism.  Since the government has blamed North Korea for the attack, one might call it an act of war or terrorism.  The President was careful to call it cyber vandalism.  I suspect a number of attorneys argued about that decision and part of that decision may have been to try and avoid trouble with Sony’s cyber insurance policy.  Of course, whether the President calls it vandalism has little impact on what the insurance company calls it and while we have no indication yet that Sony’s insurance carrier is going to try and wiggle out of their policy, they still may.  Writing a $60 million check does cause people to pucker up.

So then, you might rightfully say, if it is terrorism, did Sony have a terrorism policy?  That issue has not come up yet, so we don’t know.

And terrorism insurance is designed to cover losses like the World Trade Center on 9-11, not a hacker erasing some computer disks and posting your new movies on an underground message board.

Suffice it to say, this is all new ground.

It certainly would be smart for companies and their insurance brokers to review their coverages and exclusions in light of this.  And, at renewal time, it behooves them to read the policy carefully.

Whether Sony’s insurer will try playing this card is unknown – I guess we will have to wait and see.  And even if they do, it will take years to sort out.

One more time Sony is breaking new ground.


Sony Still Trying To Recover From Attack

In the latest bit of news dribbling out of Sony Pictures, Reuters is reporting that Sony has requested an extension of the required financial filings from mid February to the end of March.

Sony is saying that their financial and accounting applications will not be working until early February.

For those of you keeping track, the attack started on November 24th of last year.  Early February will put the recovery at 10 or 11 weeks just to get the systems back online.  Then comes the task of catching up on 10+ weeks of lost work for thousands of employees.

Sony did say, according to Reuters, that they will hold a news conference on February 4th.  It will be interesting to see if they announce a charge against earnings for the cost of the breach at that time or if they wait until March 31st when they will file their financials.

The impact on a company of not having any financial systems – and likely many other systems – to manage their business for 2-3 months is significant and we will have to watch to see what the longer term effect is on Sony.


Sony – The Story That Just Never Ends

The New York Times is reporting that the NSA has been inside North Korea’s network since 2010 and that is how they knew that the Sony attack came from North Korea.  Hopefully, this is one NSA spying activity that no one in the U.S. is going to complain about.

The Times article said that North Korea had stolen the credentials of a Sony administrator, but the NSA didn’t realize that until after the attack.

General Clapper, the U.S. Director of National Intelligence went to North Korea in November as part of a secret plan to seek the release of two Americans being held there.  His host, Kim Yong-chol, head of the Reconnaissance General Bureau, Clapper says, later oversaw the Sony attack.

That information certainly adds some more credibility to the statement that North Korea is responsible for the attack and is an example of how sometimes, the government makes statements, leaving out facts for various reasons, and as a result, they don’t sound as credible as they would like.

Obviously, the downside of the Times article – disclosing “sources and methods” – which are generally very highly classified (There is a link in the Times article to a Der Spiegel leaked NSA document that is marked TOP SECRET//SI/TK//REL TO USA, FVEY.  For those of you who are familiar with the DoD classification markings, that document is definitely highly classified), will likely shut down the entry the NSA has into North Korea as the Koreans scramble to figure out how to deal with the leak of information.  Just as likely, the NSA is trying to (or maybe already has) figure out how to deal with this leak.