The Sony Pictures Entertainment cyber-attack that resulted in the leak of various highly-sensitive and confidential corporate data, employment information, and proprietary intellectual property just before Thanksgiving is the latest in a long line of recent breaches that exemplify the enormous damage and potential liability that can result from a compromised corporate network. While the scope and extent of leaked information is still being determined, Sony Pictures confirmed that a hacker group known as the Guardians of Peace obtained a trove of data, including private employee information, actor's telephone numbers and traveling aliases, litigation files containing legal claims made against Sony Pictures, film budgets, and scripts.
It is believed that the hackers used malware in the form of destructive "wiper" programs to erase hard drives and infiltrate target websites with fake traffic while also overwriting data. While several sources and news outlets believe the attack may have come from North Korea in retaliation for Sony Pictures' upcoming film, "The Interview," which mocks the North Korea government, it does not appear that law enforcement agencies have any significant leads. What is known is that the hackers used a very public high-speed network at, of all places, the St. Regis Hotel in Bangkok, Thailand to disseminate Sony's confidential data to the internet using illegal online file-sharing hubs and BitTorrent sites. Of further interest is the fact that the hackers do not appear to be motivated (at least primarily) by money. Instead, their release of data appears intended to embarrass and humiliate Sony Pictures and to create potential legal liability for the company based upon the sensitive information disclosed.
For example, at least five new movies from Sony Pictures were stolen and subsequently shared on copyright-infringing file-sharing hubs less than a week after the attack. As of late November 2014, "Fury," the Brad Pitt war epic recently released in theatres had been illegally downloaded by over 888,000 unique IP addresses. Four other Sony movies have been leaked or pirated, including "Annie," "Mr. Turner," "Still Alice" and "To Write Love on Her Arms."
The data dump leaked by hackers also included confidential Sony employment and salary information which could lead to potential litigation down the road. For example, the dump included compensation plans and personal information of more than 6,000 Sony employees. Moreover, it was revealed that of Sony Pictures' 17 seven-figure U.S. earners, nearly all were Caucasian and only one of them is a woman. The data dump even revealed salary discrepancies among actors with Seth Rogen receiving $8.4M for his role in "The Interview" while co-star James Franco only received $6.5M.
While the leak revealed humorous, but rather harmless, information regarding celebrity aliases, the leak also disclosed highly confidential information regarding Sony's actual profits from various recent blockbusters and detailed information regarding upcoming projects and pilots not yet disclosed to the public or media.
Sony Pictures undoubtedly has its hands full trying to limit the further dissemination of its corporate assets and law enforcement agencies are surely busy tracking down who the hackers are, there will certainly be substantial legal fallout for Sony to contend with in the coming months and years. A harsh reminder that cyber security and an understanding of the appropriate legal response should a breach occur needs to be a top priority for all companies in 2015 and beyond.