This just keeps getting better and better…. Unless you’re working for Sony Pictures. Apparently, they were hacked before and didn’t tell anyone about it. Here’s the details from Forbes:
An email from Courtney Schaberg, VP of legal compliance at Sony Pictures, to general counsel Leah Weil, dated 16 January 2014, reported a compromise of the Sonypictures.de site. The website was swiftly taken down after it emerged the site had been hacked to serve up malware to visitors. Schaberg also expressed concern that email addresses and birthdates for 47,740 individuals who signed up to the site’s newsletter had been accessed by the attacker.
On Friday 17 January 2014, Schaberg told Weil that it was unclear whether personal information had been taken as an investigation by a third party would not start until the following Monday, but it was unlikely Sony would disclose the breach publicly. “At this point, if PI [personal information] was accessed, it does not look like there would be a breach notification obligation to inform individuals. We should, however, inform our data protection officer in Germany, with whom we work on a regular basis. We will likely inform him of the incident tomorrow and will plan to work with him to develop an investigation strategy for next week,” the email read.
In the same email, Schaberg talks about the PR response of Sony. The strategy was simple: don’t talk about the attack. One user, who was likely warned about malware on the site by their browser, made a comment about the issue on the local Facebook page, Schaberg noted. “The strategy at this point is not to remove the comment and not to comment ourselves,” she added. Forbes could not find such a comment on the Sony Pictures Germany page.
The following day, Schaberg noted Sony had slightly changed tack on to whom it would divulge information on the breach. “When we have more facts, we will evaluate how to notify the German DPO, which we determined not to do today given (i) that we do not yet know if there was PI involved, (ii) the limited types of PI potentially involved, and (iii) the fact that the PI was stored on a server separate from the infected server. With additional facts, we will also determine whether to notify individuals and/or the Berlin DPA,” her email read.
Well. That does not inspire confidence. Neither does this:
But the leaks continue to reveal breaches of Sony’s defences. Previously reported leaks have already uncovered a hack from February that exposed data of 749 “individuals associated with theaters in Brazil”, which Sony also decided not to disclose, as well as some notable gaps in Sony Pictures’ security that meant it was blind to the status of 17 per cent of devices on one of its networks.
So in other words, Sony Pictures was just asking for something like this to happen to them. If I had any sort of business relationship with Sony Pictures, I’d be very, very concerned. Clearly, this is one of these situations where someone in government needs to hit Sony Pictures hard from a legal standpoint as they clearly need to be taught a lesson.
Related
This entry was posted on December 16, 2014 at 9:11 am and is filed under Commentary with tags Hacked, Sony. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Sony Pictures Has Been Hacked Before And Didn’t Tell Anyone About It
This just keeps getting better and better…. Unless you’re working for Sony Pictures. Apparently, they were hacked before and didn’t tell anyone about it. Here’s the details from Forbes:
An email from Courtney Schaberg, VP of legal compliance at Sony Pictures, to general counsel Leah Weil, dated 16 January 2014, reported a compromise of the Sonypictures.de site. The website was swiftly taken down after it emerged the site had been hacked to serve up malware to visitors. Schaberg also expressed concern that email addresses and birthdates for 47,740 individuals who signed up to the site’s newsletter had been accessed by the attacker.
On Friday 17 January 2014, Schaberg told Weil that it was unclear whether personal information had been taken as an investigation by a third party would not start until the following Monday, but it was unlikely Sony would disclose the breach publicly. “At this point, if PI [personal information] was accessed, it does not look like there would be a breach notification obligation to inform individuals. We should, however, inform our data protection officer in Germany, with whom we work on a regular basis. We will likely inform him of the incident tomorrow and will plan to work with him to develop an investigation strategy for next week,” the email read.
In the same email, Schaberg talks about the PR response of Sony. The strategy was simple: don’t talk about the attack. One user, who was likely warned about malware on the site by their browser, made a comment about the issue on the local Facebook page, Schaberg noted. “The strategy at this point is not to remove the comment and not to comment ourselves,” she added. Forbes could not find such a comment on the Sony Pictures Germany page.
The following day, Schaberg noted Sony had slightly changed tack on to whom it would divulge information on the breach. “When we have more facts, we will evaluate how to notify the German DPO, which we determined not to do today given (i) that we do not yet know if there was PI involved, (ii) the limited types of PI potentially involved, and (iii) the fact that the PI was stored on a server separate from the infected server. With additional facts, we will also determine whether to notify individuals and/or the Berlin DPA,” her email read.
Well. That does not inspire confidence. Neither does this:
But the leaks continue to reveal breaches of Sony’s defences. Previously reported leaks have already uncovered a hack from February that exposed data of 749 “individuals associated with theaters in Brazil”, which Sony also decided not to disclose, as well as some notable gaps in Sony Pictures’ security that meant it was blind to the status of 17 per cent of devices on one of its networks.
So in other words, Sony Pictures was just asking for something like this to happen to them. If I had any sort of business relationship with Sony Pictures, I’d be very, very concerned. Clearly, this is one of these situations where someone in government needs to hit Sony Pictures hard from a legal standpoint as they clearly need to be taught a lesson.
Share this:
Like this:
Related
This entry was posted on December 16, 2014 at 9:11 am and is filed under Commentary with tags Hacked, Sony. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.