We still don’t know exactly how Sony Pictures got hacked or who did the hacking. But we do know that the security protections the company had in place were a bigger flop than Sex Tape. Intruders got access to movie budgets, salary information, Social Security numbers, health care files, unreleased films, and more. To rub in the pwnage, the hackers posted a file called “Passwords” in a new info dump Wednesday.
The new trove appears to include a collection of documents the hackers came across on the Sony Pictures network that had “password” in their titles, and includes digital keys for everything from Sony computers and servers to magazine subscriptions and YouTube accounts for Sony movies. (As much as we’d like to log into This is the End’s YouTube page, we haven’t actually tried any of these passwords to see if they work.) It is generally a bad idea to store all your passwords in a document on your computer. It is an even worse idea to title that document something like "My Passwords."
Sony Pictures employees and former employees are flipping out about the leak and the unexpected debut of their personal information on screens across the world. But some former employees, who asked to remain anonymous, have told us that they're disappointed but not surprised by the massive hack given Sony Pictures’ long-running lax attitude toward security. They say that employees highlighted specific vulnerabilities on company websites and systems that were never addressed.
“Sony's ‘information security’ team is a complete joke,” one former employee tells us. “We'd report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network's website and was collecting personally identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network (and our file server) in a cafe.”
The information security team is a relatively tiny one. On a company roster in the leaked files that lists nearly 7,000 employees at Sony Pictures Entertainment, there are just 11 people assigned to a top-heavy information security team. Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president.
Another former employee says the company did risk assessments to identify vulnerabilities but then failed to act on advice that came out of them. "The real problem lies in the fact that there was no real investment in or real understanding of what information security is," said the former employee. One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected.
(It’s worth noting that former employees are particularly aggrieved by the hack, reporting that Sony has not been in communication with them nor offered the credit monitoring that it has reportedly offered to current employees.)
Sony Pictures has said little about its security failures since the hack, but seven years ago, its information security director was very chatty about “good-enough security.” Back in 2007, Jason Spaltro, then the executive director of information security at Sony Pictures Entertainment, was shockingly cavalier about security in an interview with CIO Magazine. He said it was a “valid business decision to accept the risk” of a security breach, and that he wouldn’t invest $10 million to avoid a possible $1 million loss. He seemed not to consider the costs of a breach that are harder to immediately calculate, such as the blow to a company's reputation, the loss of trust among employees, or the possibility that James Franco might be upset that the world now knows he gets paid $6,000 to drive himself to movie sets. The current debacle is Sony's second major headline-making breach; in 2011, hackers got access to data for millions of Playstation users.
Spaltro told the magazine a little tale: The year before, in 2006, an auditor told him that Sony’s employees were using terrible passwords — nouns rather than random combinations of letters, numbers and symbols. Spaltro bragged that he convinced the auditor that it wasn’t a big deal. He’d said he’d rather have employees using terrible passwords than their writing them down on Post-it notes attached to their screens. Sure, valid point, but ideally the head of infosec could offer up a better solution than, "Let them keep using their terrible passwords."
Seven years later, Spaltro is still overseeing data security. Now senior vice president of information security, his salary is over $300,000 this year according to one of the leaked salary documents — and will get bumped over $400,000 if he gets his bonus. It’s unclear if a massive hack and complete failure of security is a bonus-breaker.
Update (Dec. 9): Sony Pictures never responded to Fusion's requests for comment, but Re/code published a memo sent out internally at Sony Pictures that addressed security issues. In it, Kevin Mandia, head of security firm Mandiant, which has been hired by Sony Pictures to aid in clean-up after the hack, says that the hack was an "unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared." However, independent security experts were skeptical of that.