Clarification: this attack affected Sony Pictures Entertainment, which is a subsidiary of Sony. As far as we know, the attack did not affect any other parts of Sony.
By now you’ve almost certainly heard about the massive, comprehensive breach of all Sony’s computer systems.
It’s now clear that the attackers gained access months (if not years) ago, and took their time expanding their reach until they had access to almost every system and server controlled by Sony. The attackers then downloaded massive amounts of data from Sony systems, including unreleased films, personal data about employees, internal (and in some cases extremely embarrassing) internal emails, and so on. The final step for the attackers was to wipe hard drives. That’s the point at which Sony finally learned that their systems had been hacked, tipped off by someone who doesn’t even work for Sony.
At this point it’s difficult to estimate the damage, but Sony will be feeling the effects for years to come.
Incredibly, this isn’t the first time Sony has been hacked. In fact, they’ve been hacked as many as 56 times in the last decade or so. Each time this happened, Sony had an opportunity – and a serious responsibility – to improve their security. Instead, as is clearly evident from the details of this most recent attack, Sony has done little or nothing to beef up its security.
Still, one can almost feel some sympathy toward Sony. That is, until you look at what Sony is doing about the latest attack. In a move that only the most clueless corporate lawyer would recommend, Sony is now threatening anyone who reports on this attack, including noted security writer Brian Krebs.
Worse still, there are reports that Sony is performing DDoS attacks against sites that host information take from Sony systems. If true, this is a mind-bogglingly short-sighted move.
Dear Mr. Sony: you should now fire all your senior management. I’m not kidding. These people have – and will continue to – hurt you more than they can possibly help. Time to cut your losses.
Update 2014Dec20: Ars Technica has more.
Update 2014Dec23: Bruce Schneier’s post about this is recommended reading. He looks at some of the ridiculous reactions to this attack and presents a sensible overview of what we really know.