Sony Pictures, Hacking, and Why Cybersecurity Is an Arms Race

Beyond all the gossip floating around—and admittedly, there's a lot of it in this case—the Sony Pictures hack goes in some terrifying new directions that IT professionals need to understand. It's time for associations to lead the way.

I know it’s Oscar season, but it’s safe to say that the best drama to come out of Sony Pictures this year is unfolding on online news sites—all thanks to a massive hack.

The hack, believed to be a response to the North Korea-mocking Seth Rogen movie The Interview, is unprecedented in scale and media interest.

To put it another way, the WikiLeaks diplomatic cables leak, also described as unprecedented in scale, included 251,287 documents at roughly 15 megabytes in size. The Sony hack is estimated to cover around 100 terabytes of data—or 10 times the amount of data in the Library of Congress.

Among the entertaining bits of gossip now floating around thanks to the Sony hack: the inside story of how Sony Pictures lost the high-profile Steve Jobs biopic; company cochair Amy Pascal’s racially charged remarks about President Obama’s movie preferences in an email thread with a high-profile producer; the disclosure that actresses Amy Adams and Jennifer Lawrence were paid less than their male American Hustle costars; some very unkind words about comedian Kevin Hart; and an employee feedback document filled with hundreds of negative comments about the company’s work—many specifically related to moviemaker Adam Sandler.

It’s gotten bad enough that Sony’s sicced a high-profile lawyer on news organizations, asking them to stop reporting on the content of the leaked documents, though it’s unclear whether the company can do anything to stop Gawker and similar gossip-fueled outlets.

Employee Data at Risk

You’ll note something about each of those stories: All of them involve public figures. But this hack went far deeper than that, uncovering stuff about rank-and-files that probably keeps execs awake at night: Social Security numbers, salary breakdowns, and personal data released in publicly accessible files. A breach of that sort of information is any organization’s worst nightmare. In those terms, it makes the stuff that’s gotten the press coverage seem mighty tame.

When private, personal data is leaked, the damage can be catastrophic, destroying confidence in leadership and opening organizations up to lawsuits.

“These people didn’t have anything to hide,” security expert Bruce Schneier wrote last week. “They aren’t public figures. Their details aren’t going to be news anywhere in the world. But their privacy has been violated, and there are literally thousands of personal tragedies unfolding right now as these people deal with their friends and relatives who have searched and read this stuff.”

You have data just like this about your employees and members, and you need to do everything in your power to protect it. When private, personal data is leaked, the damage can be catastrophic, destroying confidence in leadership and opening organizations up to lawsuits.

That’s more deeply embarrassing than anything an email scouring can come up with.

Here’s Why You Should Listen Up

There’s been a lot of coverage of this story, and I’m sure a few of you have tuned it out at this point.

Trust me, you should not. The reason: The strategy used in this hack suggests a truly terrifying trend. Cyberattackers are looking to destroy data, not just share it (the Sony hackers destroyed some of the company’s hard drives). That is a new game with no winners, and this spectacular example could well lead to copycat attempts.

“When you combine the destruction of data with the release of what has turned out to be embarrassing data,” FireEye Chief Security Strategist Richard Bejtlich told CBS News, “put those two together and those are some new dimensions that most security, IT, and even management teams aren’t used to dealing with.”

We’re nearing the end of a long year, and I’ve covered the attack on Target’s retail systems, which first surfaced a year ago this week, numerous times since it broke. For the business world, that issue may be the defining one for 2014, because every business has to accept payments in some way. The retail and banking industries have proved extremely proactive on this issue in the past 12 months.

Their work led to the passage of a cybersecurity bill in the midst of last week’s congressional hubbub. It was buried in the middle of the Cromnibus fun—but it’s worth the notice.

We’ve learned this year that cybersecurity is an arms race. We don’t know what weapons hackers are developing or who may be the target of their next attack, but organizations of all stripes have to be ready. When they’re not, that’s when stuff like the Sony Pictures breach happens. Even as we get better at handling security gaps, those looking to find a way in are becoming more sophisticated than ever.

Associations play two roles here—one as advocate for stronger security standards and one as example-setter. Let’s show members the right way to protect themselves.

"The Interview," believed to be the reason for the Sony Pictures hack. (Sony Pictures)

Ernie Smith

By Ernie Smith

Ernie Smith is a former senior editor for Associations Now. MORE

Got an article tip for us? Contact us and let us know!