N. Korea-Linked Sony Hack May Be Costliest ever

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.naharnet.com/stories/en/159700

The unprecedented hack of Sony Pictures which a U.S. official says is
linked to North Korea may be the most damaging cyber-attack ever inflicted
on an American business.

The fallout from the hack that exposed a trove of sensitive documents, and
this week escalated to threats of terrorism, forced Sony to cancel release
of the North Korean spoof movie "The Interview." The studio's reputation is
in tatters as embarrassing revelations spill from tens of thousands of
leaked emails and other company materials.

Federal investigators believe there is a connection between the Sony hack
and the isolated communist nation, according to an official who spoke on
condition of anonymity. The official was not authorized to openly discuss
an ongoing criminal case.

North Korea has denounced the "The Interview" but earlier this month said
the hack might have been carried out by sympathizers. The movie features a
pair of journalists played by James Franco and Seth Rogen who are asked by
the CIA to assassinate North Korea's leader Kim Jong Un.

The attack is possibly the costliest ever for a U.S. company, said Avivah
Litan, a cyber-security analyst at research firm Gartner. "This attack went
to the heart and core of Sony's business and succeeded," she said. "We
haven't seen any attack like this in the annals of U.S. breach history."

A besieged Sony on Wednesday canceled the Christmas Day release of the
film, citing threats of violence by the hackers and decisions by the
largest multiplex chains in North America to pull screenings. The hackers,
who call themselves Guardians of Peace, had made threats of violence
reminiscent of September 11th, 2001 if movie theaters showed the film.

Sony later said it has "no further release plans for the film."

"We are deeply saddened at this brazen effort to suppress the distribution
of a movie," Sony Pictures said in a statement.

National Security Council spokeswoman Bernadette Meehan said the U.S.
government had no involvement in Sony's decision. She said artists and
entertainers have the right to produce and distribute whatever content they
want in the U.S.

How much the cyber-attack will ultimately cost Sony is unclear. Sony faces
trouble on several fronts after nearly four weeks since the hackers first
crippled its computer systems and started dumping thousands of emails and
private documents online.

In addition to vanishing box-office revenue from "The Interview," leaked
documents could muck up production schedules, experts say. There will be
the cost of defending the studio against lawsuits by ex-employees angry
over leaked Social Security numbers and other personal information. And
then there are actors who might decide to work at another studio.

Beyond the financial blow, some say the attack and Sony's capitulation has
raised troubling questions about self-censorship and whether other studios
and U.S. companies are now also vulnerable.

"Artistic freedom is at risk," said Efraim Levy, a senior financial analyst
at research firm S&P Capital IQ. "Are we not going to put out movies that
offend some constituencies?"

A breakdown of areas where Sony may suffer damage:

BOX OFFICE LOSSES

With a modest budget of about $40 million, "The Interview" had been
predicted to gross around $30 million in its opening weekend. Doug Stone,
president of film industry newsletter Box Office Analyst, forecast that
Sony could have grossed $120 million in U.S. and foreign box office revenue
from the film. It has already spent tens of millions on marketing.

But Stone said the losses represent a single movie flop, than a spreading
corporate disaster. Revenue from Sony Corp.'s "pictures" business totaled
830 billion yen ($7 billion) last fiscal year.

"Disney wrote down $200 million on the "Lone Ranger" and didn't bat an
eye," he said of the rival studio. "So while it would be a significant hit,
it certainly wouldn't cause a financial collapse."

STIRRED OR SHAKEN?

A leaked script of the Sony's upcoming James Bond film "Specter" led to an
online frenzy of articles warning readers of "major spoilers."

Seth Shapiro, a professor at the University of Southern California's School
of Cinematic Arts, thinks the potential damage from a hit to the
blockbuster franchise is big.

"How can they proceed if everyone in the audience has already read the
script?" he said. "You basically need to start over and see how much you
can salvage."

Others disagreed, noting that people flooded to movies like "Titanic"
though everyone knew the ending. And they question how many people would
pore through details of the script anyway.

"Most people don't read scripts," said veteran publicist Howard Bragman.
"The Bond movie is going to do just fine."

FLEEING TALENT?

It's not yet clear if the leaks of sensitive emails will cause agents and
top actors to think twice about working with Sony.

In the short term, some think it may hurt, not only because of the insults
directed at stars such as Angelina Jolie, but because the massive leak
hurts prestige and indicates Sony is not being run as well as it should,
said Shapiro.

"Is Sony going to be the place of first resort for Hollywood A-List? No.
Not tomorrow."

Others say business interests will trump ego.

"Studio people are always saying negative things about talent," said Gene
Del Vecchio, a marketing professor at University of Southern California's
Marshall School of Business. "Ultimately it's about business," he said.
"That will outweigh the insults."

But all bets are off if Sony decides to reshuffle the top executives at the
studio. Some have speculated that co-chair Amy Pascal's job might be in
jeopardy due to the insensitive nature of some of her remarks in emails.

In an industry based on relationships, major changes at the top can affect
projects for years, said Larry Gerbrandt, a principal at entertainment
consulting firm Media Valuation Partners.

"If the fallout leads to large scale changes at the senior executive level
it will have a ripple effect for several years since it brings to halt most
movies currently under development."

Projects have to be written off, replacement executives hired — who will
have their own ideas of what movies should be made — and the costs could
easily get into the hundreds of millions of dollars, he said.

LEGAL WOES

Earlier this week, four former employees sued Sony for not protecting their
private information from hackers. The lawsuits seek class-action status on
behalf of the nearly 50,000 Sony Pictures employees whose Social Security
numbers and other private data was exposed.

Legal experts said the cases are likely just two of many that will be filed
over the data breach. A review of 32,000 emails from the inbox of Sony
Entertainment CEO Michael Lynton that were dumped by the hackers on Monday
showed the studio suffered significant technology outages it blamed on
software flaws and incompetent technical staffers. Hackers targeted
executives to trick them into revealing their online credentials.

The files expose lax Internet security practices inside Sony such as
pasting passwords into emails, using easy-to-guess passwords and failing to
encrypt especially sensitive materials such as salary and revenue figures,
strategic plans and medical information about some employees. Experts say
such haphazard practices are common across corporate America.

Sony potentially faces tens of millions of dollars in damages from a
class-action lawsuit, said Jonathan Handel, an entertainment law professor
at the University of Southern California Gould School of Law.

"This doesn't look good for Sony, which after all is a technology company,"
Handel said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!