Forget juicy Hollywood gossip columns –- nothing could embarrass Sony Pictures executives like the company’s recent hack, which has yielded reports of everything from racially offensive jibes to salary numbers.
For Sony, it’s a public relations nightmare, and if the company blushes enough, the hack could push other companies to finally make upgrades to their own security.
"The size and scope of this compromise moves security concerns from the backroom to the boardroom," Craig Williams, security outreach manager at Cisco Talos, told NBC News. "If a CEO didn't understand why access control and encryption were important before, they do now."
For the rank-and-file employees who work at Sony Pictures and the many others who worked there at some point, beefed up security may come as too little, too late. Among the documents are email addresses, Social Security numbers, birth dates, and other personal information for thousands of employees and contractors, according to reports. Early this week, two separate pairs of former employees filed lawsuits saying Sony did not do enough to protect workers’ personal information from hackers, the Associated Press reported.
How is this hack different?
Companies that want to protect themselves from a similar breach will want to know how and why hackers singled out Sony as a target.
With details scarce, speculation about who perpetrated the digital deluge has run rampant. One theory is that the hackers who claimed responsibility for the attack, a group calling themselves "Guardians of Peace" or GOP, is backed by a North Korean government angry over "The Interview," an action- comedy movie centered around a plot to kill North Korean leader Kim Jong Un. Another is that Sony has angered hackers in the past — going all the way back to 2005 when Sony BMG installed anti-copying software on its CDs —and that this latest incident is retribution.
NBC News has confirmed none of these reports regarding the possible source of the attack. Some theaters began pulling the movie from their lineups on Wednesday, and the movie’s scheduled Thursday premiere in New York City was scrubbed.
The company has been tight-lipped with the media about the specifics behind the attack and declined to talk to NBC News for this story.
Most high-profile security breaches in the past — like the one that rocked Target last year — have centered around stolen credit card numbers. This one involved a bounty of tabloid fodder, including inappropriate emails, celebrity correspondence and future movie plans.
"This is a big one," John Dickson, formerly of the U.S. Air Force's Computer Emergency Response Team and now principal at security software firm Denim Group, told NBC News.
"In all likelihood, the companies that view Sony as an industry peer will be the most likely to change their security behaviors based upon the ongoing breach saga at Sony," he said. "This event is so close to them — so close that they no longer have the luxury of saying that security breaches happen to 'the other guy.'"
Media companies like Sony Pictures generally don't have the same level of security that the financial and aerospace industries do, said Chester Wisniewski, senior security advisor at Sophos, and Stephen Boyer, co-founder of digital security ratings firm BitSight. That is because most film studios aren't dealing with state secrets or regulated financial products.
But media companies could step up their game if the financial losses taken by Sony Pictures assume blockbuster proportions. Damaged relationships and bad press only make it harder to swallow a hit to the bottom line.
Sony's data ‘submarine’
The wide variety of information released has led Wisniewski to believe that Sony Pictures probably could have done a better job securing different parts of its business.
"Look at it like a submarine. You have all of these different compartments on a submarine, so if there is a breach, you can seal it off," Wisniewski said. "It sounds like there was no ability to seal it off — instead, it was just one big, open area."
Essentially, once hackers broke in, there was nothing to stop them from taking anything they wanted. But it's not like Sony Pictures was dealing with amateurs, Boyer said.
"From what I have heard, this was a pretty sophisticated attack," he said, adding that even national governments would have trouble defending against a hack of this scale. "That is a challenge for any organization to grapple with."
The bottom line
Beyond the financial reasons, executives may be spurred to take action on cybersecurity as they see how hacks can impact their own careers.
Gregg Steinhafel, who served as CEO of Target for six years, was forced to step down in the wake of the security breach that resulted in stolen credit and debit card numbers and may have affected as many as 70 million individuals. Over the last year, at least one major breach has occurred every month, Boyer said.
But top-notch digital security isn't cheap or always convenient, Wisniewski said, and some companies might think that Sony's history of angering hackers or its release of ‘The Interview’ might make it a special case.
So, will companies take cybersecurity more seriously? Unless the Sony hack really causes companies to sit up and pay attention, they may well do what they’ve done in the past –- forget about it until the next major breach.
"I would like to say yes, but my past experience says no," Wisniewski said. "I suspect, even with the embarrassing emails, other executives might say, 'Hey, I haven't pissed off hackers, I haven't pissed off North Korea. What do I have to worry about?'"