The attack on Sony Pictures represents one of the worst fears espoused by security experts. The attack of the so-called ‘Guardians of Peace’ represented a first of its kind: an organized full-scale attack on a large business, with the sole intent on destroying the reputation of a private company by revealing not only embarrassing details pertinent to a few executives and business actions, but by exposing the entire private lives of employees –from their income, financial data, and travel history, all the way to their performance reviews and medical data.
While the attacks on Sony Pictures have been acutely felt by the business, the peace of mind of many of its employees has been destroyed, perhaps for a long time, if not permanently, by the threats of identity theft and extortion, and by lost privacy on affairs such as their health and job performance resulting from this breach.
While the ruthlessness and apparent lack of financial motive of the Guardians makes this attack unique, this attack will be remembered as a textbook example of how not to run information security, and an illustration on how shoddy security practices made the attackers’ job much easier.
As an example, Sony IT stored passwords unencrypted (when good practice mandates that passwords never be stored, not even encrypted, anywhere). To boot, many passwords were centralized, and stored in a folder named ‘Password’ that itself contained files with ‘password’ in their name.
A lax concern of security, which made itself manifest, goes a long way to explain why Sony Pictures was so deeply compromised. It also explains why plenty of information that should have never been warehoused, such as personal medical data, or travel history, was aggregated and accumulated in such a way as becoming a very low hanging fruit for malware.