Although the media focus on the Sony Pictures Entertainment hack has largely concerned thefive leaked films that have made their way online, the bigger story might be the sensitive internal data that is part of this massive hack.
A group calling itself GOP (Guardian of Peace) hacked into Sony Pictures Entertainment’s website last week, taking down nearly all of its internal systems with it.
Nearly a week later, the fruits of the raid are beginning to trickle out into the public. Mashablewas contacted by individuals claiming to be involved with GOP claiming to possess documents from the data beach.
More than 27GB of documents that appear to be from internal Sony Pictures Entertainment (SPE) file servers have already been leaked. Mashable has reviewed some of those documents and the cache of information is absolutely stunning
To the common user, the data isn’t very interesting. Much of the data, some of which dates back to 2002 and 2003, is related to internal procedures and sales reports.
Still, the fact that this information, which includes marketing reports, syndication agreements, HR policies, corporate events documents and presentation decks and press releases, has been freely released, should trouble anyone working at SPE.
A treasure trove of internal data
When major motion pictures leak online before their theatrical release, there is almost always a negative impact on the film’s box office take. For that reason, it makes sense that much of the immediate focus has been on leaked screeners of Fury, Annie and other films.
Still, we can’t help but think that the gigabytes of sales documents and marketing plans could potentially be more problematic for SPE down the line.
It seems very clear that the information leaked thus far is merely the tip of the iceberg. The 27GB data file is titled “spe01,” which appears to indicate this is just part one of what could be many more parts of data.
That data file contains information from a number of departments, including marketing (international and domestic), HR, sales and events. Some of this data is mundane and innocuous, but other information could be useful to rival studios.
For example, if a rival studio had access to the syndication agreements for specific shows on specific network affiliates, it could be used for negotiations for competitive time slots. Moreover, the affiliates themselves could see how their fees compare to other markets for the same programs.
Additionally, the breadth of the data suggest that it is very likely every file on SPE’s internal file server has been compromised.
Security, what security?
This is not the first time SPE has been hacked. More than three years ago, 37,000 user accounts were hacked from the SPE website. An individual associated with the hacking group LulzSec was sentenced to a year in prison in conjunction with that attack.
LulzSec was able to hack into SPE in 2011 using a fairly basic SQL injection. That allowed the attackers to access usernames and passwords of registered users on SPE’s site with relative ease.
Three and a half years later, it would appear that SPE’s internal security practices have not improved.
None of the documents stored on the server appeared to be encrypted. Moreover, the documents themselves showed tremendous signs of poor data practices across departments.
One folder Mashable examined was titled “Passwords” and contained login passwords for internal email systems as well as corporate credit card numbers.
We have to ask:
What kind of IT policy allows this sort of behavior to take place?
To be clear, this attack is very much a criminal matter and SPE and its employees are victims. Still, this is just another example of how poorly large corporations address information security.
It’s worth asking the question that if SPE’s internal policies for its own data are so weak, how does it treat customer and client data?
For now, the motive behind this leak is unclear.
The breadth of the data breach has led some to question whether or not this was an inside job. Although it is very possible that an internal source helped the attackers gain access to parts of the internal web server, the way the information has been leaked as well as the way the leakers are communicating with the press suggests at least some involvement from an outside group.
In an email to The Verge, a hacker purporting to be associated with the attack stated that the group “wants equality. Sony doesn’t.”
Reports from Re/Code and NBC News suggest that the attack may stem from China or North Korea and be in retaliation for Sony’s upcoming film, The Interview. The premise of that film is a plot to assassinate North Korean leader Kim Jong Un.
In an email statement to Mashable, a Sony spokesperson said that “Sony Pictures continues to work through issues related to what was clearly a cyber attack last week. The company has restored a number of important services to ensure ongoing business continuity and is working closely with law enforcement officials to investigate the matter.”
Author: Christina Warren