Sony Pictures suffered one of the most grievous data breaches ever in recent days, though the numbers of exposed consumer details may not (or may) be as large as some of the recent retail chain breaches. It showed an expanded aspect that, now the precedent has been set, we must expect to see again. The breach did not just seek to obtain some number of personal details to sell on the black market, but appears to have also specifically targeted intellectual property (IP) – in this case, not yet or only just released movies, Sony Pictures' stock-in-trade. Adding injury to injury, the breach also effectively shut down all of their operations, disrupting individuals PCs, their networks, and more, for at least two days now. An internal message to employees indicated it may take as long as three weeks to restore normal email service, Variety reports.
This is a turning point in the ongoing battle with cyber terrorism. The attacking group, purportedly labeling themselves “Guardians of Peace” or #GOP, has gone beyond an attempt to quietly siphon off payment card details for resale. They’ve gone beyond inserting a worm that encrypts data inside the firewall, then alerting the victim to the effect of the ransomware and demanding payment. In this case, there is every appearance that the attackers planned, as at least part of their goal, to obtain copies of Sony Pictures primary product – movies – and to distribute them freely through file sharing. One recently released (Brad Pitt’s Fury) and four movies planned for release in the coming weeks were posted to file sharing sites and available for download.
This effectively has the same impact as a smash&grab thief bursting into a jewelry store, threatening the employees, turning over the cases and fleeing with bags full of gems and gold. The thieves took the salable work product that is the primary mission of the enterprise, and diminished, if not outright destroyed, its value. With the big holiday move, a remake of Annie starring Jamie Foxx, exposed, I expect Sony Pictures will be restating their financial expectations for both this year and the next, very soon. While not the highest grossing film of the year, Sony certainly anticipated some significant income from DVD sales of Fury, as well as from the three other compromised films slated for release next year.
What this has to underscore is that organizations must move beyond thinking of data protection solely as a regulatory compliance issue and, instead, as a revenue protection necessity. Electronic data security has for too long been too focused on complying with regulations and audit, and too little on the potential risk to intellectual assets. Any business that focuses on IP of any kind will have to view this as a wake-up call and a prompt to reassess their risks.
As others have noted, we will remain in the frustrating position of ignorance of what actually happened and who perpetrated the breach for at least months and perhaps years, as the detective, judicial, and financial consequences are managed by Sony and the authorities. Even if, as is speculated, the Sony Pictures' data breach proves to be an act of state terrorism on a commercial entity – North Korea’s reaction to the upcoming release of Sony’s James Franco/Seth Rogan comedy, The Interview,-- there can be no expectation that this genie will ever return to the bottle. Now that this next step has been taken, other criminal groups will seek to learn from it, imitate it, and expand beyond it more egregiously.
This means that now is the time for the most senior executives of enterprises to step back, assess the funding, resourcing, and quality of their data protection of their IP, determine if it is adequately protected in the event of a breach, and take decisive action if it is not. Data breaches of large organizations are inevitable and unavoidable, as I pointed out in the prior blog post. One critical component for protecting IP when at rest, in motion, and (at least for some cases) in use necessarily has to be encryption. Any encryption selected must use long random cryptographic keys with automatic key rotation on frequent intervals, diligently segregated from the data they are used to protect, and just as rigorously protected as other critical data.
For more on best practices for cryptographic keys and encryption, click here for a copy of our white paper “Five Key Management Fundamentals for Unlocking Encryption Success.”
This just in: Krebs on Security is just announcing Sony Pictures’ employee healthcare and salary data may have been exposed, as well.
For a free trial of Prime Factor's data protection platform, including encryption and automated key manaagement capabilties suitable for integrating into existing or new application, click on the button below.