Just When We Thought Santa Forgot To Put CISOs On His “Nice List,” Along Comes The Sony Breach
Security pros got the Target breach for Christmas last year. The breach hit the retailer during its busiest time of the year and cost them millions in lost business. For security pros desperate for more budget and business prioritization, you couldn’t have asked for a more perfect present – it’s as is if Santa himself came down the chimney and placed a beautifully wrapped gift box topped with a bow right under your own tree. This year it looked as if all we were getting was a lump of coal – but then Sony swooped in to save us like a Grinch realizing the true meaning of Christmas.
The Sony Picture Entertainment (SPE) breach is still unfolding, but what we know so far is that a hacktivist group calling themselves the Guardians of Peace (GoP) attacked Sony in retribution for the production of a movie, “The Interview,” which uses the planned assassination of North Korea’s leader as comedic fodder. The hacktivists supposedly stole 100 TBs of data that they are gleefully leaking bit by bit (imagine Jingle Bells as the soundtrack). The attack itself affected the availability of SPE’s IT infrastructure, forcing the company to halt production on several movies.
We’ll be releasing a more detailed analysis for clients later this afternoon, but at a high level, there are several reasons why this attack is in the news every day, why it will prove to be yet another turning point in the security industry, and why security is so integral to the business technology (BT) agenda:
- This is the second major breach that the Sony brand has suffered in just a few years. In 2011, the Sony PlayStation Network breach affected more than 100 million customers, and cost the company around $171 million. The public can forgive you for one massive breach, but two? And botching the response twice? At this point, you could probably begin using “Sony” as an adjective to describe the scale and impact of a breach. “Yes we had a breach, but we didn’t have a Sony breach”.
- It has the potential to be one of the most expensive breaches of all time. The estimates start in the hundreds of millions of dollars. There are of course the breach costs themselves, the costs of delayed production, the cancellation of the release of “The Interview,” and lost revenue from future films (the hacktivists released several upcoming films and the scripts of future films).
- Sony’s brand has taken a major, major hit. The hacktivists released a cache of embarrassing emails – everything from directors making disparaging comments regarding major actors to the revelation that SPE doesn’t pay men and women equally. It is difficult to imagine SPE cochairman Amy Pascal surviving this public relations disaster. If Pascal is forced out, it would be reminiscent of nontechnology leaders like Target CEO Gregg Steinhafel being blamed for catastrophic failures in security.
- The hacktivists even stepped up the rhetoric surrounding the attack, moving it from cyberspace to the physical world by threatening to attack theaters that showed the movie. They even made analogies to the 9/11 attacks, although US officials are skeptical of the group’s ability to conduct these types of attacks.
- SPE caved in to the threats and cancelled the release of “The Interview.” This is disappointing and sets a dangerous precedent. I can understand SPE reluctantly pulling the movie from theatres as a precaution, but there are ways that they could have distributed the movie.
- The breach dragged one of the biggest household names in public accounting, Deloitte, into the holiday mayhem. It turns out that a former Deloitte employee had taken sensitive Deloitte information regarding employee race, gender, and salary. GoP was able to exfiltrate this data from SPE, and it revealed embarrassing pay gaps between men and women as well as race pay gaps.
- Once again, it is the business executives forced to take responsibility for the breach, the embarrassing details, and their less-than-stellar response. If you’re a business leader and security and privacy don’t either keep you up at night or you aren’t thinking about how you can turn good security and a respect and appreciation for privacy into a competitive differentiator, you’re not doing your job.
The Target payment card breach elevated cyberthreats to board-level conversations, the SPE disaster will only amplify the board’s interest in cybersecurity. However, unlike the financially motivated attacks that have made the headlines in recent months and years, the politically and socially motivated nature of this attack is unique. Every firm must now ask themselves how their very business model and their business behavior might undermine their security posture and invite these types of attacks in the future. The Christmas present for security pros is that once again, we head into a new year with security a top issue for the board and a new type of attack that can only be mitigated by business and security leaders working side by side. Security pros must take this gift and run with it. Use it as an opportunity to educate their leaders on cyberthreats to the digital business and customer trust.
Is your firm talking about the SPE breach? Is it already changing your security strategy and your relationship with the business?