I work in VFX, so its a bit funny to hear sony bleat on about security. The consensus here is that its an inside job. The person that did this *hated* sony. To me it sounds like someone wanted to bring the house down.
But the Nub on the matter is this: Sony appears to have failed to follow its own advice for security. When a VFX house applies to work on certain shows, they have to be audited to make sure that no footage will leak. Since Expendables 3 leaked (which couldn't have come from a post house, as its the full movie, with sound. Something none of us have) They've gone super Nazi on the requirements. Segregated data and management networks Airgaps between the internet and internal networks. All data in and out of the building must be moved by hand. All USB/DVDs disabled.
All internet access is done via terminal services. We had to battle to allow copy and paste...
And yet depending on the narrative you subscribe to, either someone stole HR/email backups/restricted file services via USB, or malware.
Either way should be impossible if they'd implemented their own guide.
This ofcourse assumes that it wasn't a rouge sysadmin. From the noise I've heard about the malware, it uses brute force to guess passwords. Do they not have account lockouts? (another requirement...)
Either way, they couldn't have given a shit about security, well not in any meaningful way. Judging by some of the chacaters I've met from that neck of the woods I can imagine that the higher ups were extremely resistant to even the most basic of security measure.
From what I understand they had byzantine VPN authentication, but yet people appear to have been able to gain access to the email server/backups