Tag Archives: Sony

Do We Really Know How Successful Hackers Are? No!

As we see the news of attacks day after day and think “can it get any worse?”, the reality is that likely, it is much worse than we think.

Buried in the mass of data that was released by the Sony hackers were some emails from VP of legal compliance Courtney Schaberg telling some people inside the company, including chief counsel Leah Weil, that Sony had another hack, that credentials had been obtained by hackers, the accounts were now disabled, that the attackers uploaded malware and some data was compromised.

A follow up email describes the data that was taken along with an assessment that Brazil, where the attack took place, does not have a breach notification law although they have other privacy related laws.

The email, labelled Privileged and Confidential, goes on to say that she recommends against telling people that the data was compromised because the law doesn’t require it, that data taken wasn’t terribly sensitive and telling the people who’s data was hacked wouldn’t help them much in mitigating the damage.

Part of the logic in deciding whether to disclose or not was whether the media would out them.  In this case, the Brazilian media had not mentioned Sony by name after a reporter contacted them, so maybe they could squeak by.

In the U.S. only certain kinds of breaches (such as credit card data and health care data, among a few others) REQUIRE disclosure and even then, many of the laws allow the businesses to decide what the risk of the compromise is to the victim in deciding whether to tell people that their data was hacked.

In the absence of a Federal law requiring all companies to fess up to breaches all the time, breaches will be under disclosed.  After all, disclosing a breach that a company might be able to sweep under the rug will definitely cost the company more money and cause more problems, including lawsuits.

As a result, in addition to those breaches where the company doesn’t realize they have been hacked, there are likely many other breaches that go undisclosed following this very same logic that Sony used.

What percentage of the leaks are disclosed?  No one knows.  But probably way less than we think.

Information for this post came from Gawker.

Sony Agrees To Pay Employees $5 Mil – Sort Of

Billboard is reporting that Sony and the employees suing them as a result of the breach last year have come to a tentative agreement.  The employees were suing for negligence and privacy violations.

If the settlement is approved, The employees will get $2 million – up to $1,000 each – for preventative measures taken against identity theft.  The lawyers will get $3.5 million.

In addition, Sony is paying for identity theft protection for two years and $1 million in identity theft insurance.

Additionally, Sony will pick up another $2.5 million – up to $10,000 per employee – for unreimbursed losses as a result of the breach.  Note that this is likely not going to be touched, so it doesn’t really count.

Why will this not be touched?  Two reasons.  First, losses on credit cards will be eaten by the banks and credit card associations – your liability, at most, is $50.

Second, and this is pretty novel, Sony is saying that with the Target breach, the Home Depot breach and many others, you need to prove that the unreimbursed loss was as a result of the hackers stealing your information from us and not one of the other breached sites.  That is pretty much impossible to do.

If the judge approves this – and it is not clear that he will – who wins is the attorneys.

From Sony’s standpoint, spending $5 million plus attorney’s fees is way cheaper than actually protecting the information.  Of course they have lots of other expenses – fixing the breached systems, lost business, film revenue, etc., but a lot of that is covered by insurance.

Sony’s former director of information security said “it’s a valid business decision to accept the risk’ of a security breach…I will not invest $10 million to avoid a possible $1 million loss.”

What we don’t know and will likely never be disclosed is whether Sony loses some picture deals as a result of the rather caustic comments attributed to their executives in leaked emails.

And there still could be shareholder lawsuits and other non-employee suits.

Information for this post came from Billboard.

Sony Breach May Break Even More New Ground

Everyone knows  that the Sony breach was different than, say, the Target or Home Depot breach because of the damage that Sony is still, 10 weeks later, trying to recover from.

But now, the insurance experts are adding yet another wrinkle – thanks Sony.

According to the Hartford Courant, Sony may break new ground in the insurance world too.

Cyber insurance policies tend to be a bit vague on coverage in case of acts of war or terrorism.  Since the government has blamed North Korea for the attack, one might call it an act of war or terrorism.  The President was careful to call it cyber vandalism.  I suspect a number of attorneys argued about that decision and part of that decision may have been to try and avoid trouble with Sony’s cyber insurance policy.  Of course, whether the President calls it vandalism has little impact on what the insurance company calls it and while we have no indication yet that Sony’s insurance carrier is going to try and wiggle out of their policy, they still may.  Writing a $60 million check does cause people to pucker up.

So then, you might rightfully say, if it is terrorism, did Sony have a terrorism policy?  That issue has not come up yet, so we don’t know.

And terrorism insurance is designed to cover losses like the World Trade Center on 9-11, not a hacker erasing some computer disks and posting your new movies on an underground message board.

Suffice it to say, this is all new ground.

It certainly would be smart for companies and their insurance brokers to review their coverages and exclusions in light of this.  And, at renewal time, it behooves them to read the policy carefully.

Whether Sony’s insurer will try playing this card is unknown – I guess we will have to wait and see.  And even if they do, it will take years to sort out.

One more time Sony is breaking new ground.


Sony Still Trying To Recover From Attack

In the latest bit of news dribbling out of Sony Pictures, Reuters is reporting that Sony has requested an extension of the required financial filings from mid February to the end of March.

Sony is saying that their financial and accounting applications will not be working until early February.

For those of you keeping track, the attack started on November 24th of last year.  Early February will put the recovery at 10 or 11 weeks just to get the systems back online.  Then comes the task of catching up on 10+ weeks of lost work for thousands of employees.

Sony did say, according to Reuters, that they will hold a news conference on February 4th.  It will be interesting to see if they announce a charge against earnings for the cost of the breach at that time or if they wait until March 31st when they will file their financials.

The impact on a company of not having any financial systems – and likely many other systems – to manage their business for 2-3 months is significant and we will have to watch to see what the longer term effect is on Sony.


Sony – The Story That Just Never Ends

The New York Times is reporting that the NSA has been inside North Korea’s network since 2010 and that is how they knew that the Sony attack came from North Korea.  Hopefully, this is one NSA spying activity that no one in the U.S. is going to complain about.

The Times article said that North Korea had stolen the credentials of a Sony administrator, but the NSA didn’t realize that until after the attack.

General Clapper, the U.S. Director of National Intelligence went to North Korea in November as part of a secret plan to seek the release of two Americans being held there.  His host, Kim Yong-chol, head of the Reconnaissance General Bureau, Clapper says, later oversaw the Sony attack.

That information certainly adds some more credibility to the statement that North Korea is responsible for the attack and is an example of how sometimes, the government makes statements, leaving out facts for various reasons, and as a result, they don’t sound as credible as they would like.

Obviously, the downside of the Times article – disclosing “sources and methods” – which are generally very highly classified (There is a link in the Times article to a Der Spiegel leaked NSA document that is marked TOP SECRET//SI/TK//REL TO USA, FVEY.  For those of you who are familiar with the DoD classification markings, that document is definitely highly classified), will likely shut down the entry the NSA has into North Korea as the Koreans scramble to figure out how to deal with the leak of information.  Just as likely, the NSA is trying to (or maybe already has) figure out how to deal with this leak.


Sony Pictures CEO Interviewed By AP

Michael Lynton, Sony Pictures CEO, gave the AP the most extensive interview since the  attack.

Among other things, Lynton said that the hackers “They came in the house, stole everything, then burned down the house.”  He said “They destroyed servers, computers, wiped them clean of all the data and took all the data.”

More importantly, he said that six weeks later, the studio’s network is still down and is expected to remain so for a few weeks.

A few other things he said:

  • Sony did not have a playbook for this.  He said that maybe nobody could.
  • A team of 10-15 senior management people were tasked with keeping Sony’s 7,000 employees informed without having them panic.
  • Sony had an emergency notification system but not all employees were on the system, so they had to sign people up in the middle of the crisis.
  • They met with 400 to 500 Sony employees at a time on a sound stage on the property to talk to employees about identity theft and security tips.
  • The story kept making twists and turns, so responding was difficult.  They would have a plan in the morning and it would change by the evening.
  • When the theatre chains pulled out from screening The Interview, they were scrambling because they did not have a plan.  They said they had no plans to release it, which was correct, because they had no plan.
  • The movie has generated $31 million so far, which still makes it under water, but they have canabalized most of the future revenue by doing PPV on Christmas.
  • He declined to give a cost estimate for the breach – likely because they don’t really know yet – but that will be in their SEC filings eventually.
  • He still maintains that “we were adequately prepared  … nobody could have withstood an attack of this nature.”

Looking back, I would say – and they would likely say privately – that they were not adequately prepared.  They did some things right and many things wrong.

USA Today is reporting that 19,000 French web sites have been attacked or defaced since the Charlie Hebdo attack, and the number is growing.  The article quotes one security expert who calls this the new normal.

I don’t know if that is true, but if it is, planning is one thing companies need to spend some effort on.