According to IBM, there were 1.5 million monitored cyber-attacks in the US in 2013. That was a 12% increase from the previous year, and by all indications the numbers for 2014 will be even higher.
One new report, released by the Identity Theft Resource Center, suggests that data breaches in 2014 increased 27.5% over the previous year.
As an IBM risk study points out, when companies have a security breach their costs can include:
- damage to a company’s reputation and brand
- lost productivity
- lost revenue
- costs for data forensics
- costs for technical support
- compliance and regulatory costs
Few companies, however, have needed to deal with hacker damage on the scale suffered by Sony Pictures.
The History of the Hack
It’s not yet clear when hackers first intruded into Sony’s network, but evidence suggests that it may have been happening for more than a year before it was discovered on November 24, 2014.
In contrast to most hack attacks, in which criminals steal consumer credit card numbers and other personal information for purposes of fraud and identity theft, but which otherwise leave their corporate victims relatively unscathed, the Sony attack was far more vicious.
The Sony hackers didn’t only take personally identifiable information about Sony employees and their dependents – including their names, addresses, Social Security numbers, pay rates, performance reviews, phone numbers, and other information. They also took emails, screenplays, and even digital copies of then-unreleased movies, such as Annie.
Many of the juiciest and most embarrassing emails were released to the public and reported on in the mainstream news media.
In all, the hackers claimed to have taken over 100 TB of Sony data. But they didn’t stop there.
The hackers also installed malware on Sony’s servers. This was discovered in late November, when Sony employees found themselves unable to use their computers.
Studio operations were hurled back to the Selectric era, with checks being cut “by hand.”
According to one estimate, the hack attack could end up costing Sony $150 million-$300 million – half of the studio’s 2013 profits. Sony’s stock fell 10% the week after the attack was revealed, even though the Sony pictures division is only responsible for about 10% of Sony’s overall sales.
Who’s responsible?
The hackers responsible for the Sony attack called themselves the “Guardians of Peace.” They demanded the cancellation of Sony’s release of The Interview, a comedy about a fictional plot to assassinate Kim Jong-un, North Korea’s leader.
The hackers also threatened to commit terrorist acts in connection with the premier of the movie.
After some initial hesitation by the studio, the film was eventually released online and in a limited number of theaters.
The US government announced that North Korea itself was responsible for the attack. North Korea denied any involvement. Shortly after the US announcement, North Korea’s own Internet service temporarily “went dark.”
Some cyber security experts have questioned the US government’s conclusions, proposing that current or former Sony employees, or others, might have been responsible. The FBI rejected those alternative theories.
But it doesn’t really matter who the culprits were. What matters most is that Sony left itself vulnerable.
Unencrypted Passwords
Perhaps the most astonishingly lax aspect of Sony’s data “protection” efforts was that passwords were kept in (mostly) unencrypted Microsoft WORD, Excel, zip, and PDF files helpfully labeled “passwords.”
These passwords were among the confidential information the hackers shared with the world.
Some former Sony employees told reporters that they were unsurprised by the hack attack, given this studio’s “long-running lax attitude towards security.”
This laxness is hardly unique to Sony. According to Robyn Greene, policy counsel for the New America Foundation’s Open Technology Institute, “Eighty to 90 percent of all attacks are the result of poor cyber hygiene and internal system monitoring.”
Will anything change?
Some analysts, including former White House cybersecurity coordinator Howard Schmidt, have called the attack on Sony a “wake-up call for corporate America.”
MarketWatch suggested that the Sony hack will change how American companies do business. Specifically, the attack showed that:
- Hacker attacks have the potential to destroy a business, not just damage its reputation.
- Hackers can attack a business for ideological and political reasons, not just for financial gain.
- The US government needs to take the lead in defending the country from cyber-attacks. (This is expected to be a theme of Pres. Obama’s 2015 State of the Union address.)
- Companies need far better cyber defenses – and better disaster recovery plans for when those defenses fail.
- Data breaches can cause people to lose their jobs.
Others have suggested that the attack could lead to new cyber security legislation – or even “cyber wars” with foreign governments.
But the old adage about barn doors and horses comes to mind. Merely responding to hacker attacks – legally, politically, or technologically – is likely to turn into a pointless game of whack-a-mole.
Solutions need to prevent attacks – and recognize that people will continue to be careless about things like passwords.
Click here to learn more about PACid’s security solutions for corporations.