Sony Hack: Former Employees Claim Security Issues Were Ignored
"Sony’s 'information security' team is a complete joke"
As the fallout from the massive hack at Sony Pictures continues, former employees are saying they're not surprised by the breach, claiming the company had a lax attitude about information security.
"Sony’s 'information security' team is a complete joke,” one former employee tells Fusion. “We’d report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network’s website and was collecting personally identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network (and our file server) in a cafe."
Another former employee tells Fusion that the company did risk assessments to identify vulnerabilities on company websites and systems but failed to address those problems.
“The real problem lies in the fact that there was no real investment in or real understanding of what information security is,” the ex-Sony staffer said.
The cyber attack first hit Sony the Monday before Thanksgiving, with a group calling itself Guardians of Peace taking credit. It's unknown who was responsible for the breach, which the FBI is helping Sony investigate.
North Korea, or its supporters, have been suspected as being responsible for the hack because of the government's outrage over Sony's upcoming movie The Interview, which involves a plot to assassinate North Korean leader Kim Jong Un. But the hack could also be an inside job.
The hack has resulted in confidential information being leaked to the media, including as many as 47,000 Social Security numbers, according to The Wall Street Journal. Various reports, based on what are said to be documents disseminated by the hackers, have revealed the salaries of Sony's top executives, details about The Interview's budget and executive insights from PowerPoint presentations.
At its holiday party Thursday night, SPE CEO Michael Lynton and co-chairman Amy Pascal took a resilient tone in speaking about the recent breach. Lynton thanked staffers who had "persevered" since the "malicious" cyber attack and said he was sympathetic to anyone who felt "violated or angry" by having their personal information made public. Pascal, meanwhile, gave a rousing pep talk, "On any Friday night, we can shift the world on its axis, and if anybody wants to stop us, they're going to have to do a whole lot more than breach a firewall," she said.