A group calling itself Guardians of Peace allegedly hacked into the Japanese owned media and movie conglomerate Sony Pictures last month, successfully stealing large files containing personal data on celebrities, as well as “company secrets”, threatening to release the information to the public if its demands were not met. Guardians of Peace’s identity is yet to be confirmed, however what is known is that sensitive personal information, like the social security numbers, salaries and addresses of more than 47,000 Sony stars and employees, was successfully breached. Hackers also gained access to details of professional contracts, upcoming movie releases and other ‘inside information’, some of which has already been leaked to the public.
Internet access to company files leaves you vulnerable
Sony’s files, like just about every corporation today, are accessible via the internet. Digital data storage has long been the preferred method throughout the business industry, enabling executives to access important information regardless of location. Firewalls and perimeter security are not enough to protect files from sophisticated hackers.
Sensitive personal information was duplicated on multiple computers
Compounding Sony’s security weakness was that, especially in the case of social security numbers and other employee information, data was in Excel format and duplicated, in some cases, in hundreds of employee computer files. For instance, Identity Finder, a data security software company, found the social security number of Amy Pascal, Co-Chair of Sony Entertainment, in 104 different computer locations. Multiple copies of the same information across employee computers or within a single employee’s computer increases the exposure, thereby improving the odds for hackers’ success.
What should Sony have done differently?
The process of protecting data (encryption) has to be done at the inception of the content. Either it is important enough to protect or it is not. Trying to police stolen data on the internet after neglecting to protect in the first place, is ignoring the landscape of today’s technology and responsibility that comes with it. It is a slippery slope to not take judicious responsibility with private information in the first place, than try and control free speech to protect it later. Once the data is on the internet controlling it is no longer an option. Cyber vigilantism is not the correct path. Going after the attacker at the expense of the public’s rights is more bullying than law abiding. A mistake was made: the data was not encrypted.
For more articles from Richard Blech, visit securechannels.com