Sony Pictures and North Korean Hackers
In November 2014, just in time to capitalize on the rush of moviegoers during the Thanks giving and Christmas holiday seasons, Sony Pictures was set to release a new comedy The Interview. Executives at Sony already knew that The Interview would be controversial. The plot involved a television tabloid show host and producer who discovered that the North Korean dictator, Kim Jong-un, was a big fan of their show. When they set up a trip to visit Kim Jong-un, they were recruited by the CIA to turn their trip to Pyongyang, Korea, into an assassination mission. Not surprisingly, the real Korean government leaders were displeased with the plot of the movie, and they apparently took drastic measures to convince Sony Pictures’ executives not to release the movie to theaters.
During a one-week period hackers, going by the name Guardians of Peace and allegedly with ties to North Korea, stole 100 terabytes of sensitive company data from computers belonging to Sony Pictures Entertainment (to put that into perspective, 10 terabytes can hold the entire printed collection of the Library of Congress). The first sign of a digital break-in appeared when the image of a stylized skull with long skeletal fingers flashed on every Sony employee’s computer screen at the same time, accompanied by a threatening message warning that “This is just the beginning.” The message continued, “We’ve obtained all your internal data,” and then warned that if Sony did not comply with their demands, the hackers would release the company’s top secrets. Hackers slowly posted the information online or circulated information over file-sharing networks. North Korea formally denied any involvement in the hacking incident, but did praise the actions as a “righteous deed.”
The leaked information revealed highly sensitive information, like passwords and executives’ salaries, secret details about other upcoming films, and passport and visa Page 275information for Sony actors. Other leaked information contained the medical records of dozens of Sony employees and listed conditions including cancers, cirrhosis of the liver, and premature births. The hackers went as far as to threaten Sony employees and their families. The hackers also made threats of violence toward anyone who went to see the movie, with references to the terrorist’s attacks in the United States on September 11, 2001. These threats prompted the nation’s largest theatre chains to announce that they would not show the film.
Sony executives considered releasing the film only via video-on-demand or on television. Comcast, the nation’s largest cable provider, declined the opportunity to show the film through their cable network due to its politically sensitive material. Eventually Sony decided to cancel the distribution of the film. The hackers responded to Sony’s decision by saying “pulling The Interview was a ‘very wise decision’.” “We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public,” said Sony’s press release. “We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.” The implications of these decisions extended beyond the moviemaking industry. “This is now a case study that is signaling to attackers that you can get all that you want and even more,” said a cybersecurity strategist.
President Obama criticized Sony for pulling the movie, saying it set a bad precedent and could encourage further censorship. While he was sympathetic to the problem Sony faced, the president said, “Yes, I think they made a mistake.” He also pledged that the United States would hit back at North Korea for their role in this incident. “They caused a lot of damage and we will respond. We will respond proportionately and we will respond in a place and time and manner we choose.” (One month later, President Obama, in an executive order, imposed sanctions on three North Korean organizations and 10 individuals, allegedly in response to the hacking of Sony Pictures.) Obama continued, “We cannot have a society in which some dictator someplace can start imposing censorship here in the United States, because if somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary they don’t like, or news reports they don’t like.” Companies in the United States, according to the president, needed to come to terms with the possibility of having their computer systems penetrated, but added that “we can’t start changing our patterns of behavior.” To do so, he said, would be like cancelling the Boston Marathon because bombs were detonated there.
Sony’s CEO Michael Lynton responded to the president’s remarks. “We did not cave. We did not back down. The decision not to move forward with the December 25 theatrical release of The Interview was made as a result of the majority of the nation’s theater owners choosing not to screen the film. This was their decision. Let us be clear—the only decision that we have made with respect to release of the film was not to release it on Christmas Day in theaters, after the theater owners declined to show it. Without theaters, we could not release it in the theaters on Christmas Day. We had no choice.”
On December 23, Sony did an about-face and announced it would release The Interview on Christmas Day after all, saying that the film would be released to any theaters that wanted to screen it. The film was also released simultaneously in homes on video-on-demand. “We have never given up on releasing The Interview and we’re excited our movie will be in a number of theaters on Christmas Day,” said Lynton. “At the same time, we are continuing our efforts to secure more platforms and more theaters so that this movie reaches the largest possible audience.” President Obama praised Sony’s decision to release the film. The number of independent movie theaters that eventually showed The Interview grew to nearly 600. No incidents of violence against the moviegoers were reported. Initially, Sony made The Interview available for rent online for $5.99 via YouTube Movies, Google Play, and Microsoft’s Xbox Video. Later, Sony expanded its distribution of the film to DirecTV, most of the major video-on-demand services through cable carriers, and other outlets.
Questions
1. What actions, if any, could Sony employees take to protect themselves from the theft and release of their data on their employer’s servers?
2. Give an example of a extra precaution that the company could have taken to help protect their employees information?