back to article Sony sued by ex-staff over daft security, leaked privates

As if Sony Pictures didn't have enough on its plate, now former employees have launched a class-action lawsuit against the Hollywood giant over the parlous state of its security – and to recoup the damage hackers have allegedly caused them. It comes as people claiming to have hacked the movie studio's servers today made …

  1. EJ

    These NORK idiots just made it my patriotic duty to go see this movie, when in fact I had no intention to do so. Thanks a lot, Un!

    1. Anne-Lise Pasch

      You think the NORKS did this? I'm not sure yopmail is even available in NK, even to government hackers with approved access. :> I'd look a little closer to home.

    2. GBE

      Sony marketing?

      I'm not going to claim that Sony's marketing people are behind the data dumps. But, once they had occurred, starting rumors that it was done by North Korea attempting to supress a Sony movie wold be a brilliant way to geenerate press and get people to go see the movie...

      1. Cpt Blue Bear

        Re: Sony marketing?

        Having dealth with Sony Oz for close to two decade, I'll go out on a limb and say they are quite incapable of organising such a hack. Even of themselves.

        But having also dealt with marketing people (and I use the word very, very loosely), this just reeks of the sort of opportunism they think is clever.

    3. Destroy All Monsters Silver badge
      Facepalm

      Patriot strong but otherwise retarded

      > These NORK idiots just made it my patriotic duty to go see this movie

      You now feel like it's 1937, Germany around here.

    4. Florida1920 Silver badge

      Based on reviews, do yourself a favor: Send the equivalent co$t of a ticket to a charity and stay home. The real bomb in this unfolding farce is the movie itself.

    5. BillG Silver badge
      Meh

      These NORK idiots just made it my patriotic duty to go see this movie.

      There is really no firm evidence that N. Korea was behind this hack. It's unlike them to not take credit - that is, if N. Korea did this it would be typical of them to proudly and openly take credit for the hack. They have never been coy.

      And it is to Sony's advantage to paint this as coming from NORK.

      Personally, I would not financially support Sony's incompetence by seeing this movie, or any Sony movie in theater or disc.

  2. Will Godfrey Silver badge
    Unhappy

    So much data floating around now but I wonder if we'll ever find out who it was that decided a security review was not needed... Probably thought the money could be better spent on their bonuses.

    1. Fatman Silver badge
      FAIL

      Sony manglement

      Probably thought the money could be better spent on their bonuses.

      Or, IIRC, attempts to placate a loudmouth activist stockholder who has since dumped his stock in SPE.

      Thanks Google:

      http://articles.latimes.com/2013/jul/29/entertainment/la-et-ct-loeb-demands-sony-spinoff-20130729

      http://www.cnet.com/news/sony-rebuffs-hedge-funds-plan-to-spin-off-entertainment-unit/

      and, as a result of that effort:

      http://www.neontommy.com/news/2014/04/culver-city-not-likely-feel-direct-impact-sony-pictures-layoffs

      finally, we see his end game:

      http://deadline.com/2014/10/sony-daniel-loeb-third-point-stock-sale-857117/

      Bastard!!!

      1. Turtle

        @Fatman Re: Sony manglement

        That's all good as far as it goes but how much would it have cost to encrypt the passwords, for example, as opposed to storing them (and all the other information) in plaintext?

  3. This post has been deleted by its author

  4. Haro

    Hackers gone to the next level

    They are now threatening to bomb theatres. But I think this is where the Norks could hack in with the 9200 baud analog connections. Just send phony emails.

    1. Destroy All Monsters Silver badge
      Facepalm

      Re: Hackers gone to the next level

      Bomb theatres with what? Spam e-mail??

      1. LaeMing Silver badge
        Alert

        Re: Bomb theatres with what?

        Bomb with canisters of Organic Viagra?

    2. Pascal Monett Silver badge
      Trollface

      Oh come on, they're hackers.

      They'll manage to move about 20 meters before they collapse from Red Bull withdrawal.

  5. Mark 85 Silver badge

    Red Herring Ploy?

    The reference to the movie and then to 9-11 smells like a certain dead fish. There is a certain language usage but it just feels like mis-direction.

    Unless...ok... tin-foil hat time... NSA did the deed and Obama wants a reason to hit N.Korea. Maybe because Dear Leader likes Dennis Rodman more than him?

    Oh yeah...$1000 is peanuts for the grief and stress of having one's identity stolen.

    1. InfiniteApathy

      Re: Red Herring Ploy?

      That is quite the tin-foil hat.

      Agreed on the 3rd count, $1000 is very little to deal with all that garbage.

      1. Trevor_Pott Gold badge

        Re: Red Herring Ploy?

        Sony should be shut down and all the money returned to the non-management, non-executive employees. Let them go forth to get better jobs elsewhere, with enough money to run for a few years while they search.

        Let the shareholders reap absolutely nothing and send the executive layer to remote arctic island with nothing more than a knife and a shovel between them.

  6. Turtle

    Summing Up.

    "Even after such major breaches, the company was still storing critical information in plain text and without proper encryption, and Sony management made a business decision not to invest in proper security mechanisms, despite repeated warnings from IT staff, the suit claims."

    The situation is probably best summed up by the words "criminally-culpable negligence"...

    1. Shannon Jacobs
      Holmes

      "criminally-culpable negligence"

      You say "criminally-culpable negligence"? Does not compute!

      Seriously, you need to look at your EULA to see what happened to that concept. Or are you really trying to say that Sony didn't spend enough on lawyers to copy the Microsoft fine print?

      1. Anonymous Coward
        WTF?

        Re: "criminally-culpable negligence"

        I don't think employees agree to an EULA when they join (and leave) the business.

      2. Turtle

        @Shannon Jacobs Re:"criminally-culpable negligence"

        "Seriously, you need to look at your EULA to see what happened to that concept. "

        Do you actually believe that all the clauses of a EULA (or any other agreement, such as an employment contract) are legally-enforceable simply by virtue of the end-user having agreed to it? If you do, you are profoundly mistaken.

      3. Trevor_Pott Gold badge

        Re: "criminally-culpable negligence"

        "Seriously, you need to look at your EULA to see what happened to that concept. Or are you really trying to say that Sony didn't spend enough on lawyers to copy the Microsoft fine print?"

        I'm missing something here. What does Microsoft have to do with this?

      4. Shannon Jacobs
        Holmes

        Re: "criminally-culpable negligence"

        Well, the down votes indicate a lot of people disagreed, but the comments are so muddled that I'm not clear what they disagreed about. Presumably a waste of keystrokes to attempt to clarify at this late date, so I'll just add the very short clarification of the relationship:

        Microsoft's EULA says that whatever they did wrong, you can't sue them for the harmful consequences. That is now the precedent established for major companies, especially in the high tech industry. Sony has lawyers, too, and you can rest assured that their contracts include similar wording. It's probably a blanket disclaimer, but if their lawyers are sharp enough, there's probably a specific disclaimer for email losses, too, probably right after the place where you agree that they can read all of your email for any 'legitimate' reason, but 'promise' not to abuse the postmaster power. Yes, you could argue it's an overabundance of caution, since so much email is not even under Sony's control (since the origin or destination is outside of Sony), but lawyers are extreme cowards of the most natural sort.

        If you need to down vote, be brave enough to say why, eh?

        1. Trevor_Pott Gold badge

          Re: "criminally-culpable negligence"

          Microsoft didn't start those sorts of contract terms, IBM did.

    2. morgannick2000

      Re: Summing Up.

      You could not be more right.

  7. Bob Dole (tm)
    FAIL

    This whole thing should be considered an embarrassment to IT professionals everywhere.

    It was only a matter of time until the collective incompetence of those trusted to guard our personal information came to light. If Home Depot, Target and the rest didn't convince CEOs everywhere that they need to start hiring people that know what they are doing then I hope this serves as a solid warning. Because it's only going to get worse if they don't start doing something about it.

    1. Anonymous Coward
      Anonymous Coward

      Too early to judge

      It's quite possible that their IT people tried and tried and tried to get Sony's upper management to invest in proper security, but their business case analyses were rejected and they were told to go away. I've seen it happen before. IT security is always seen as a burdensome cost and when you attempt to justify the cost by modeling the impact of a serious hack people think you are being alarmist.

      As I've said before on El Reg, faced with using $100m to fix your security and get (ostensibly) $0 or the same $100m to spend on a new movie and get $1bn back, I know which one Sony Pictures board would go for. And it's financially sound to do so (from the point of view of maxing shareholder value). As IT pros, we need to change the calculation so that that "$100m for $0" becomes "$100m now, or $1bn later when the lawyers rip us to shreds"

      1. Richard Jones 1

        Re: Too early to judge

        I up-voted you but note that there is one issue that too many businesses fail to understand. Quality is not a bolt on extra to be added 'if the sun is shining and there is nothing better to do'. The no-more company I used to work for had that idea and it did not work for them. With all underlying parts of the business, (those that the financial management idiots cannot see and understand) you either get them right from the start and keep them right or let them kill the company. The fools that broke Sony Pictures were as we now all know those responsible for mismanaging its ship wreak. However trying to Elastoplast or Band-aid a broken system is never easy or the right way, building a stable reliable system takes ground up work and money.

        The major issue is that insurance costs, I am prepared to guess that most business issues were insured, e.g. stars not completing big budget project, etc. The $100 million to have a business critical secure system is part of the insurance cost centre that helps to ensure you have a business tomorrow.

        The share holders should be joining the queue to batter down the doors, throw out the lame brains who caused this shambles of mismanagement and sue them for their malfeasance in office.

        A new properly run company is now needed to replace this shambles of fools.

      2. Anonymous Coward
        Anonymous Coward

        Re: Too early to judge

        @Bob Dole - "Because it's only going to get worse if they don't start doing something about it."

        There is no IF Bob. It's going to get worse.

        @Ann O'Nymous - this is part of WHY it's going to get worse. The wrong people (those without the capability to understand security risk due to lack of real education in the subject) are making the wrong decisions (to "take the risk", ie gamble, because that's a "valid business decision") based on an erroneous assumption (that one can apply business risk modelling to security risk as if they were all vanilla risk).

        Remove "security" from the equation and replace it with "safety" and all those "valid business reasons" to not spend suddenly shrivel up when exposed to scrutiny. The problem is that not enough people have been outraged enough - so the suits can keep on as they always have.

        1. TheOtherHobbes

          Re: Too early to judge

          Then you have to explain it in really simple terms even they can understand.

          "Does your house have window locks and a burglar alarm on your house? Or do you leave the front door unlocked when you go out? You don't? Because that would be stupid and asking for trouble, right?"

          Doesn't always work - many business types are far beyond all rationality - but occasionally it makes a difference.

          1. Trevor_Pott Gold badge

            Re: Too early to judge

            "Does your house have window locks and a burglar alarm on your house?"

            Nope, I'm Canadian

            "Or do you leave the front door unlocked when you go out?"

            Depends on how long I'm gone for. Rarely do I feel it necessary. Again, I'm Canadian. It's not really a thing here.

            "You don't? Because that would be stupid and asking for trouble, right?"

            Why would it be asking for trouble? Do you know how rare B&Es are here? And what is a locked door or window going to do to prevent one? If someone has made the decision to steal, they can get through such crude defenses with zero effort.

            Nah, better to have a motion-triggered camera protecting the important things in the house and have good insurance. That way you can pass the video on to the cops if there's a break-in, and replace any of the things they stole. Keep some stuff near the front door that looks worth stealing so they take the easy score and leave.

            The only time I've been broken into, someone decided to get into my unlocked car. They stole a first aid kit, the emergency winter gear and a cup full of loose change I keep around for parking meters. Total cost to me was 15 minutes to reorganize all my stuff and about $50 worth of replaced gear.

            Now if I'd locked the car, the replacement window would have easily been $250, and I'd still have to replace that $50. Plus I'd have the added time sink of cleaning up the glass.

            Now, is my computer security locked up? You bet. The internet isn't just Canadians, so I actually to have to lock my digital doors.

      3. davemcwish

        Re: Too early to judge

        You'd think that they have the money to do all this given Hollywood Accounting and the risk of reputational damage

      4. Someone Else Silver badge
        Facepalm

        @Ann o'NymousRe: Too early to judge

        As I've said before on El Reg, faced with using $100m to fix your security and get (ostensibly) $0 or the same $100m to spend on a new movie and get $1bn back, I know which one Sony Pictures board would go for. And it's financially sound to do so (from the point of view of maxing shareholder value).

        I thought Sony made movies, not this mythological substance "shareholder value".... Silly me!

      5. Fatman Silver badge
        Unhappy

        Re: Too early to judge

        It's quite possible that their IT people tried and tried and tried to get Sony's upper management to invest in proper security, but their business case analyses were rejected and they were told to go away.

        You may be right on that one.

        IIRC, their CSO (or similar position) recently (i.e. within the last year) left, perhaps because he could not do his job properly because of the executive decision to cut corners.

        Only time will tell (assuming he isn't gagged by a NDA).

      6. BillG Silver badge
        FAIL

        Re: Too early to judge

        It's quite possible that their IT people tried and tried and tried to get Sony's upper management to invest in proper security, but their business case analyses were rejected and they were told to go away.

        I see it as a form of Corporate Darwinism.

        The fittest companies have management that is intelligent enough to invest in IT security.

        The unfit lack the intelligence, and so these companies will die away.

        It's telling that this year many utility companies (gas, electric, etc) were unable to get "hacked insurance" because audits revealed their security was so embarrassing they could not get insurance at any cost.

    2. ecofeco Silver badge
      Pirate

      The IT dept? You don't how most companies work, do you? The IT dept usually gets no respect from the board of directors. You know, the folks who set policy and budgets?

      The fault lies with the BOD and the BOD ONLY. (well 9 times out of 10, anyway) However, in this case, it was the consulting company of Bain and Co. that gutted Sony's IT dept.

      Do you think BofH is fiction?

      1. Mark 85 Silver badge

        Let's face it, IT is a cost-center and not a profit-center. However, IT is also probably the heart of mission-critical (to use C-suite buzzwords). They need us to allow the profit-centers to make the profit but they don't like spending money to do it. And it's not just security. It's even spending money to upgrade/replace equipment. But let some C-suiter get a brilliant idea about some trendy software or trendy hardware that he/she wants and the cash gates open.

        Maybe the CIO types need to change their thinking and create a new center.... the heart of the business center. One that needs money to handle the mission-critical and the C-suite trendy ideas, but also to use IT security as insurance that the mission-critical never (or as close as can be) allows these type of hacks/cracks/data theft.

        Part of "shareholder value" is that the business will prosper and continue to thrive which is some long term thinking for some investors. But that is what's needed and the expense of good IT is part of that intrinsic shareholder value that never shows up on a balance sheet much like trust, reputation, customer faith.

        This is asking a lot of companies. To change their thinking and to act on it, but all the break-ins are a result of not thinking of things this way. It may take a few more break-ins of this scope before that happens.

      2. LucreLout Silver badge

        The IT dept usually gets no respect from the board of directors.

        Outside of a software firm, I've never met a single board member that didn't view IT as a cost to be cut. Sad, and short sighted, but true.

        The fault lies with the BOD and the BOD ONLY

        Not so. Sure, they are primarily to blame as they are, well, the BOD. However, I have lost count of the number of conversations I've had to have with younger developers who simply refuse to do things properly or to design in security from the start to finish of a project. If you're not thinking about security on day one of the build then you are not doing your job professionally.

        IT simply has too many cowboys, and the only way that will ever change is when either the industry is so broke that future cowboys move onto other targets, or if we have an organised regulator similar to the GMC that determines who is allowed to practice and who isn't, and can lay down clear standrads and expectations.

      3. Someone Else Silver badge

        @ecofeco

        Hmmm..."Bain & Co." Name sounds familiar... Say, wasn't that run by a feller named Mitt?

    3. Anonymous Coward
      Anonymous Coward

      I'm embarrased in so far as I know that incompetent management is almost always to blame in these situations. Way too many times in my 30 year IT career I or my colleagues have proposed security improvements and been told to shut up and go away, even more stronger terms if it was likely to cost money!

      A lot of time development is rushed, developers are hammered by managers and project leaders to get projects done, security is an after thought. One thing I've learned in 30 years in this game, the hardest job ever in IT is retro-fitting security. No one wants to know, "It's working? It's making money? Leave it alone then!" is the potted reply to most attempts to retro-fit security.

      Most IT people do want to do a good job, will try their hardest but when gutless middle management are too shit scared of stepping out of line, nothing gets done. The "big white chief" will issue edicts and the middle managers drop their kecks and bed over the table and then the abused kick downwards onto the bods on the shop floor.

      1. FlatSpot

        Problem with a lot of IT people is they can't express Risk or a Business case to management.

        Management are away from the coal face and don't have in-depth knowledge into every part of the business.

        If you ask for £10k for a shiny new firewall because it will increase security, it means nothing to anyone. However if you put it in measurable terms, that you need £10k and it will enable some magic new feature that reduces the number of Critical and High attack vectors from 10 to 2, reduce the amount of time for a failover from 2mins to 10secs and increase capacity to enable the business to grow, then you may be more likely to get somewhere. (Not forgetting to add in the cost of not doing it.)

    4. Anonymous Coward
      Anonymous Coward

      considered an embarrassment to IT professionals everywhere.

      If, Sony is like the large bank I work at, security is seen as an inconvenience to the traders getting their jobs done easier, so is ticked in the boxes submitted to the Auditors, but never actually implemented.

      "Does your IT access policy include robust logon systems?" YES

      if it asked "and are they implemented?" that would be a NO, but it is not one of the questions

    5. Boris the Cockroach Silver badge

      Its the managements

      fault

      It happens everywhere when we get told "you cant have another seat at superwhizzy CAM software because it costs £5000/seat"

      Only to be told the next day "The boss has just ordered a new carpet for the offices at £80/m^2... oh and have you done that 5 axis robot program yet?"

      If you think that there are essential and non-essential business expenses, then you are a dumb ass, because ALL spending on the business is essential

  8. pmb00cs

    Hmmmm

    "This won't take us down," he promised, the LA Times reports. "You should not be worried about the future of this studio. I am incredibly sorry that you've had to go through this."

    And that there is part of the problem. A breach this large, exposing this much sensitive data, really ought to be unrecoverable. Sony have apparently had everything exposed, all the personal details of all their current and many of their past employees, and all their confidential business data. Either one of those being leaked at that scale should cripple a business, both, at the same time, should be a death knell for the Board.

    1. Pascal Monett Silver badge

      Meanwhile . . . "hired a high-priced lawyer to threaten the press"

      They didn't have enough money to implement proper security, but they sure as hell seem to have plenty when it comes to miserably failing to preserve what's left of their image.

      They're the only ones who think there's anything left to preserve.

  9. Anonymous Coward
    Anonymous Coward

    I wonder if anyone here supporting (or seeding) GOP is now feeling used.

    I sincerely hope so.

    I wouldn't be suprised is seeding any of that stuff won't get you a police visit right now, or a visit from the anti-terrorism squad.

    Congratulations.

  10. ElReg!comments!Pierre Silver badge

    What if movie studio loses? Big biz liable for big data blunders?

    It's a bit shocking that it's not already the case. Big biz often asks (sometimes borderline illegally) for a whole lot of private -sometimes very private- information on you, most of which is completely unrelated to your job. I would think it is a bare minimum that they are held liable for leaks should they misplace such data. If they can't keep it secure, they should not ask for it. (in most cases they should not ask for it in any case to begin with, but high unemployment rates awaken the slave-trader instincts in HR bods)

  11. LDS Silver badge

    "It also hired a high-priced lawyer to threaten the press"

    Had they hired real IT security experts, maybe they would have spent less and not found themselves in this mess.... but I guess when the tempest goes away, execs will congratulate themselves for the money spent in lawyers and will keep on not spending on IT security....

    1. Stretch

      Re: "It also hired a high-priced lawyer to threaten the press"

      IT workers are a cost to be reduced or eliminated. That's their thinking. So many times I have seen it.

      And, ofc, any IT worker with any skillset in any country can do any job just as well as a real experienced professional. That's how IT works, right?

    2. John G Imrie Silver badge

      Re: "It also hired a high-priced lawyer to threaten the press"

      They probably did hire real IT security experts.

      However a demand that security is improved to his line manager, became a request to the middle manager which was talked over the water cooler with the senior manager and ended up as a request to mildly censure him to the Board.

  12. Anonymous Coward
    Anonymous Coward

    Information Security <> IT

    A lot of comments about how management don't understand IT/Security but in my experience it's rare to find IT professionals with security knowledge outside their specific area.

    That's not a dig at IT professionals, you all do a great job, but you wouldn't want a vet leading your local A&E. They might do an adequate job in the short term but it's not what they've been trained for.

    If you want security expertise employ security professionals.

  13. GeneralDisaster

    12 years gone from the company, and they still have all his details...

    what about the guy in the class action suite, 12 years left the company, but his personal data is still on file. under EU data protection legislation data can only be kept for as long as it is required. Why were they holding his personal information for so long? He should take them to the cleaners, he should have been purged from the systems years ago. How many of us could also be affected by companies that we used to work for? I know my old company never purged this from the HR systems either.

    1. Gordon 10 Silver badge

      Re: 12 years gone from the company, and they still have all his details...

      Err most companies need to keep ex-employee records for pension & tax purposes.

      1. batfastad

        Re: 12 years gone from the company, and they still have all his details...

        Err most companies need to keep ex-employee records for pension & tax purposes.

        Fair enough. But why most and not all companies? What's the criteria that state whether a company does or does to keep these records on ex-employees?

        I doubt that indefinite storage of ex-employee pension/tax records is a legal requirement, more of a "nice to have" from the company's perspective. And I'm not sure when "nice to have" trumps EU data protection.

    2. ecofeco Silver badge

      Re: 12 years gone from the company, and they still have all his details...

      Short answer: it's America, not the EU. They can do whatever the hell they want to in the US. It's a fascist nation.

  14. Haro

    Low Risk of Big Consequences

    I mainly do earthquake risk, and this is sort of the same thing. Would you upgrade your building in California? Nobody expects anything to happen, and the government will fix it all anyway. IT risk should be insured, like earthquakes, and the more you do, the less the cost. But big trouble trying to quantify it.

  15. Mike Moyle Silver badge

    "This won't take us down. You should not be worried about the future of this studio."

    Translation: "We're all screwed."

    It's times like this that I wish "Google Translate" had a "Business-to English" or "Marketing-to-English" option.

    1. Fatman Silver badge

      Re: "This won't take us down. You should not be worried about the future of this studio."

      It's times like this that I wish "Google Translate" had a "Business Bullshit-to English" or "Marketing PR Spin/Lies-to-English" option.

      FTFY!!!!

  16. Kriilin

    Another part of this whole problem is the attitude of "A manager can manage anything, they don't need to really know the details, that's what their staff is for." I've seen it in my own job, the former CIO (female at that) who worked her way up from Assembler programming being replaced by a lapdog with a liberal arts background. Her problem is she illustrated some inconvenient facts.

  17. Someone Else Silver badge
    Coat

    Delicious irony?

    It would be quite a hoot if the defendants in this case were to retain Boies, Schiller & Flexner LLP as their law firm. (This is the same firm that sent out threatening letters to various media outlets warning them not to publish any information about the hack, or else....)

  18. Sherrie Ludwig

    Suggestion: Sony puts the movie out - on streaming services, DVDs sold at cost to produce, gives it away to networks, etc. etc. Not that I'm a great fan of the film, but it would be fun to see how these "terrorists" deal with everyone in the US having access to the movie all at once.

  19. batfastad

    Idiots

    Is it just me who thinks it's insane to make a film about killing the current living premier of another country, even if you do think that country/premier is a joke?

    If there was a film produced about the assassination of Obama, you would expect things to go very bomby (well, whingey) very quickly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019