The latest successful network hack, this time against Sony Picture Entertainment, has taken on a life of its own. Many have taken to social media to support the company and some have even turned it into an electronic march for Freedom of Speech and Expression. The White House has now labeled the attack as a matter of National Security after coming to the conclusion that the attack was orchestrated by North Korea. I'm sure Sony is eating up the waves of support because it seems to be clouding the real issue. The company has taken a very political stance and assumed the role of victim instead of admitting its complicity in the event.
In my opinion, it's Sony's fault. If Sony had observed better data and network security practices, the event would never have happened. Some may argue this point with me, but once you understand how utterly inept Sony was and how truly lax its network security measures and policies, you might change your mind and instead of lobbying support behind the American subsidiary of the Japanese multinational conglomerate, might heap the blame where it's deserved.
Hacks are attempted every day. Some successful, some not. We know this and have been reminded of it constantly with high profile intrusions like Target, UPS, and others this year. There have been more reported successful attacks this year than any other, and there's no way to stop it. So, with the number of prosperous invasions clearly reported publicly, what took Sony so long to review its security policies? Didn't Sony have access to the same news we did?
For several weeks leading up to the Sony hack, the company experienced technology outages, but blamed it on software flaws and incompetent IT staff. During this period hackers used malware code designed in the late 1990's to target Sony executives to obtain their online credentials. According to some of the stolen emails, Sony Picture Entertainment's CEO, Michael Lynton stored his personal information including passwords, banking, travel, and shopping accounts in both his work and personal email accounts. These same emails which also included photocopies of U.S. passports, banking statements, and driver's licenses, were archived by Lynton's executive assistant. Passwords were shown to be easy-to-guess and sensitive data was not encrypted. And, this is just the CEO's office.
An email from the CFO of Sony Pictures Entertainment was sent to Lynton in October complaining of technology issues, including data security. Nothing was done. It's also been reported, though not confirmed, that Sony's systems were left unpatched for months and Windows XP is still in use.
Clearly, Sony is not the only company to fail in data security. Most companies are not doing enough to address the scary reality of a modern world where hack attempts are so common. Will the Sony attack cause more companies to take notice and start addressing security issues? Probably not, considering the number of news reports we've seen over the last year without an industry change. So, what's it going to take?
Recently, HIPAA lobbied a $150,000 fine against an Anchorage Community Health Services organization for a successful attack against unpatched systems. This might be what it takes to get companies like Sony and others to wake-up. A similar regulatory policy for any company doing business in the U.S. might change things. Keep the ship tight or face a massive fine. There needs to be a call for accountability for actions or inactions.
Sony is currently being sued by its employees for the total lack of responsibility for proper network and data security. Sony has deep pockets so it's unclear if the employees could actually win the suit.