These NORK idiots just made it my patriotic duty to go see this movie, when in fact I had no intention to do so. Thanks a lot, Un!
Sony sued by ex-staff over daft security, leaked privates
As if Sony Pictures didn't have enough on its plate, now former employees have launched a class-action lawsuit against the Hollywood giant over the parlous state of its security – and to recoup the damage hackers have allegedly caused them. It comes as people claiming to have hacked the movie studio's servers today made …
COMMENTS
-
-
-
Tuesday 16th December 2014 23:46 GMT Cpt Blue Bear
Re: Sony marketing?
Having dealth with Sony Oz for close to two decade, I'll go out on a limb and say they are quite incapable of organising such a hack. Even of themselves.
But having also dealt with marketing people (and I use the word very, very loosely), this just reeks of the sort of opportunism they think is clever.
-
-
Wednesday 17th December 2014 22:49 GMT BillG
These NORK idiots just made it my patriotic duty to go see this movie.
There is really no firm evidence that N. Korea was behind this hack. It's unlike them to not take credit - that is, if N. Korea did this it would be typical of them to proudly and openly take credit for the hack. They have never been coy.
And it is to Sony's advantage to paint this as coming from NORK.
Personally, I would not financially support Sony's incompetence by seeing this movie, or any Sony movie in theater or disc.
-
-
Wednesday 17th December 2014 21:10 GMT Fatman
Sony manglement
Probably thought the money could be better spent on their bonuses.
Or, IIRC, attempts to placate a loudmouth activist stockholder who has since dumped his stock in SPE.
Thanks Google:
http://articles.latimes.com/2013/jul/29/entertainment/la-et-ct-loeb-demands-sony-spinoff-20130729
http://www.cnet.com/news/sony-rebuffs-hedge-funds-plan-to-spin-off-entertainment-unit/
and, as a result of that effort:
http://www.neontommy.com/news/2014/04/culver-city-not-likely-feel-direct-impact-sony-pictures-layoffs
finally, we see his end game:
http://deadline.com/2014/10/sony-daniel-loeb-third-point-stock-sale-857117/
Bastard!!!
-
-
This post has been deleted by its author
-
Wednesday 17th December 2014 00:09 GMT Mark 85
Red Herring Ploy?
The reference to the movie and then to 9-11 smells like a certain dead fish. There is a certain language usage but it just feels like mis-direction.
Unless...ok... tin-foil hat time... NSA did the deed and Obama wants a reason to hit N.Korea. Maybe because Dear Leader likes Dennis Rodman more than him?
Oh yeah...$1000 is peanuts for the grief and stress of having one's identity stolen.
-
-
Thursday 18th December 2014 10:10 GMT Trevor_Pott
Re: Red Herring Ploy?
Sony should be shut down and all the money returned to the non-management, non-executive employees. Let them go forth to get better jobs elsewhere, with enough money to run for a few years while they search.
Let the shareholders reap absolutely nothing and send the executive layer to remote arctic island with nothing more than a knife and a shovel between them.
-
-
-
Wednesday 17th December 2014 01:05 GMT Turtle
Summing Up.
"Even after such major breaches, the company was still storing critical information in plain text and without proper encryption, and Sony management made a business decision not to invest in proper security mechanisms, despite repeated warnings from IT staff, the suit claims."
The situation is probably best summed up by the words "criminally-culpable negligence"...
-
-
Wednesday 17th December 2014 16:26 GMT Turtle
@Shannon Jacobs Re:"criminally-culpable negligence"
"Seriously, you need to look at your EULA to see what happened to that concept. "
Do you actually believe that all the clauses of a EULA (or any other agreement, such as an employment contract) are legally-enforceable simply by virtue of the end-user having agreed to it? If you do, you are profoundly mistaken.
-
Thursday 18th December 2014 10:10 GMT Trevor_Pott
Re: "criminally-culpable negligence"
"Seriously, you need to look at your EULA to see what happened to that concept. Or are you really trying to say that Sony didn't spend enough on lawyers to copy the Microsoft fine print?"
I'm missing something here. What does Microsoft have to do with this?
-
Friday 19th December 2014 02:31 GMT Shannon Jacobs
Re: "criminally-culpable negligence"
Well, the down votes indicate a lot of people disagreed, but the comments are so muddled that I'm not clear what they disagreed about. Presumably a waste of keystrokes to attempt to clarify at this late date, so I'll just add the very short clarification of the relationship:
Microsoft's EULA says that whatever they did wrong, you can't sue them for the harmful consequences. That is now the precedent established for major companies, especially in the high tech industry. Sony has lawyers, too, and you can rest assured that their contracts include similar wording. It's probably a blanket disclaimer, but if their lawyers are sharp enough, there's probably a specific disclaimer for email losses, too, probably right after the place where you agree that they can read all of your email for any 'legitimate' reason, but 'promise' not to abuse the postmaster power. Yes, you could argue it's an overabundance of caution, since so much email is not even under Sony's control (since the origin or destination is outside of Sony), but lawyers are extreme cowards of the most natural sort.
If you need to down vote, be brave enough to say why, eh?
-
-
Wednesday 17th December 2014 01:38 GMT Bob Dole (tm)
This whole thing should be considered an embarrassment to IT professionals everywhere.
It was only a matter of time until the collective incompetence of those trusted to guard our personal information came to light. If Home Depot, Target and the rest didn't convince CEOs everywhere that they need to start hiring people that know what they are doing then I hope this serves as a solid warning. Because it's only going to get worse if they don't start doing something about it.
-
Wednesday 17th December 2014 02:14 GMT Anonymous Coward
Too early to judge
It's quite possible that their IT people tried and tried and tried to get Sony's upper management to invest in proper security, but their business case analyses were rejected and they were told to go away. I've seen it happen before. IT security is always seen as a burdensome cost and when you attempt to justify the cost by modeling the impact of a serious hack people think you are being alarmist.
As I've said before on El Reg, faced with using $100m to fix your security and get (ostensibly) $0 or the same $100m to spend on a new movie and get $1bn back, I know which one Sony Pictures board would go for. And it's financially sound to do so (from the point of view of maxing shareholder value). As IT pros, we need to change the calculation so that that "$100m for $0" becomes "$100m now, or $1bn later when the lawyers rip us to shreds"
-
Wednesday 17th December 2014 08:34 GMT Richard Jones 1
Re: Too early to judge
I up-voted you but note that there is one issue that too many businesses fail to understand. Quality is not a bolt on extra to be added 'if the sun is shining and there is nothing better to do'. The no-more company I used to work for had that idea and it did not work for them. With all underlying parts of the business, (those that the financial management idiots cannot see and understand) you either get them right from the start and keep them right or let them kill the company. The fools that broke Sony Pictures were as we now all know those responsible for mismanaging its ship wreak. However trying to Elastoplast or Band-aid a broken system is never easy or the right way, building a stable reliable system takes ground up work and money.
The major issue is that insurance costs, I am prepared to guess that most business issues were insured, e.g. stars not completing big budget project, etc. The $100 million to have a business critical secure system is part of the insurance cost centre that helps to ensure you have a business tomorrow.
The share holders should be joining the queue to batter down the doors, throw out the lame brains who caused this shambles of mismanagement and sue them for their malfeasance in office.
A new properly run company is now needed to replace this shambles of fools.
-
Wednesday 17th December 2014 09:05 GMT Anonymous Coward
Re: Too early to judge
@Bob Dole - "Because it's only going to get worse if they don't start doing something about it."
There is no IF Bob. It's going to get worse.
@Ann O'Nymous - this is part of WHY it's going to get worse. The wrong people (those without the capability to understand security risk due to lack of real education in the subject) are making the wrong decisions (to "take the risk", ie gamble, because that's a "valid business decision") based on an erroneous assumption (that one can apply business risk modelling to security risk as if they were all vanilla risk).
Remove "security" from the equation and replace it with "safety" and all those "valid business reasons" to not spend suddenly shrivel up when exposed to scrutiny. The problem is that not enough people have been outraged enough - so the suits can keep on as they always have.
-
Wednesday 17th December 2014 11:19 GMT TheOtherHobbes
Re: Too early to judge
Then you have to explain it in really simple terms even they can understand.
"Does your house have window locks and a burglar alarm on your house? Or do you leave the front door unlocked when you go out? You don't? Because that would be stupid and asking for trouble, right?"
Doesn't always work - many business types are far beyond all rationality - but occasionally it makes a difference.
-
Thursday 18th December 2014 10:22 GMT Trevor_Pott
Re: Too early to judge
"Does your house have window locks and a burglar alarm on your house?"
Nope, I'm Canadian
"Or do you leave the front door unlocked when you go out?"
Depends on how long I'm gone for. Rarely do I feel it necessary. Again, I'm Canadian. It's not really a thing here.
"You don't? Because that would be stupid and asking for trouble, right?"
Why would it be asking for trouble? Do you know how rare B&Es are here? And what is a locked door or window going to do to prevent one? If someone has made the decision to steal, they can get through such crude defenses with zero effort.
Nah, better to have a motion-triggered camera protecting the important things in the house and have good insurance. That way you can pass the video on to the cops if there's a break-in, and replace any of the things they stole. Keep some stuff near the front door that looks worth stealing so they take the easy score and leave.
The only time I've been broken into, someone decided to get into my unlocked car. They stole a first aid kit, the emergency winter gear and a cup full of loose change I keep around for parking meters. Total cost to me was 15 minutes to reorganize all my stuff and about $50 worth of replaced gear.
Now if I'd locked the car, the replacement window would have easily been $250, and I'd still have to replace that $50. Plus I'd have the added time sink of cleaning up the glass.
Now, is my computer security locked up? You bet. The internet isn't just Canadians, so I actually to have to lock my digital doors.
-
-
-
Wednesday 17th December 2014 11:48 GMT davemcwish
Re: Too early to judge
You'd think that they have the money to do all this given Hollywood Accounting and the risk of reputational damage
-
Wednesday 17th December 2014 19:57 GMT Someone Else
@Ann o'NymousRe: Too early to judge
As I've said before on El Reg, faced with using $100m to fix your security and get (ostensibly) $0 or the same $100m to spend on a new movie and get $1bn back, I know which one Sony Pictures board would go for. And it's financially sound to do so (from the point of view of maxing shareholder value).
I thought Sony made movies, not this mythological substance "shareholder value".... Silly me!
-
Wednesday 17th December 2014 21:23 GMT Fatman
Re: Too early to judge
It's quite possible that their IT people tried and tried and tried to get Sony's upper management to invest in proper security, but their business case analyses were rejected and they were told to go away.
You may be right on that one.
IIRC, their CSO (or similar position) recently (i.e. within the last year) left, perhaps because he could not do his job properly because of the executive decision to cut corners.
Only time will tell (assuming he isn't gagged by a NDA).
-
Thursday 18th December 2014 15:29 GMT BillG
Re: Too early to judge
It's quite possible that their IT people tried and tried and tried to get Sony's upper management to invest in proper security, but their business case analyses were rejected and they were told to go away.
I see it as a form of Corporate Darwinism.
The fittest companies have management that is intelligent enough to invest in IT security.
The unfit lack the intelligence, and so these companies will die away.
It's telling that this year many utility companies (gas, electric, etc) were unable to get "hacked insurance" because audits revealed their security was so embarrassing they could not get insurance at any cost.
-
-
Wednesday 17th December 2014 02:33 GMT ecofeco
The IT dept? You don't how most companies work, do you? The IT dept usually gets no respect from the board of directors. You know, the folks who set policy and budgets?
The fault lies with the BOD and the BOD ONLY. (well 9 times out of 10, anyway) However, in this case, it was the consulting company of Bain and Co. that gutted Sony's IT dept.
Do you think BofH is fiction?
-
Wednesday 17th December 2014 09:01 GMT Mark 85
Let's face it, IT is a cost-center and not a profit-center. However, IT is also probably the heart of mission-critical (to use C-suite buzzwords). They need us to allow the profit-centers to make the profit but they don't like spending money to do it. And it's not just security. It's even spending money to upgrade/replace equipment. But let some C-suiter get a brilliant idea about some trendy software or trendy hardware that he/she wants and the cash gates open.
Maybe the CIO types need to change their thinking and create a new center.... the heart of the business center. One that needs money to handle the mission-critical and the C-suite trendy ideas, but also to use IT security as insurance that the mission-critical never (or as close as can be) allows these type of hacks/cracks/data theft.
Part of "shareholder value" is that the business will prosper and continue to thrive which is some long term thinking for some investors. But that is what's needed and the expense of good IT is part of that intrinsic shareholder value that never shows up on a balance sheet much like trust, reputation, customer faith.
This is asking a lot of companies. To change their thinking and to act on it, but all the break-ins are a result of not thinking of things this way. It may take a few more break-ins of this scope before that happens.
-
Wednesday 17th December 2014 14:22 GMT LucreLout
The IT dept usually gets no respect from the board of directors.
Outside of a software firm, I've never met a single board member that didn't view IT as a cost to be cut. Sad, and short sighted, but true.
The fault lies with the BOD and the BOD ONLY
Not so. Sure, they are primarily to blame as they are, well, the BOD. However, I have lost count of the number of conversations I've had to have with younger developers who simply refuse to do things properly or to design in security from the start to finish of a project. If you're not thinking about security on day one of the build then you are not doing your job professionally.
IT simply has too many cowboys, and the only way that will ever change is when either the industry is so broke that future cowboys move onto other targets, or if we have an organised regulator similar to the GMC that determines who is allowed to practice and who isn't, and can lay down clear standrads and expectations.
-
-
Wednesday 17th December 2014 08:48 GMT Anonymous Coward
I'm embarrased in so far as I know that incompetent management is almost always to blame in these situations. Way too many times in my 30 year IT career I or my colleagues have proposed security improvements and been told to shut up and go away, even more stronger terms if it was likely to cost money!
A lot of time development is rushed, developers are hammered by managers and project leaders to get projects done, security is an after thought. One thing I've learned in 30 years in this game, the hardest job ever in IT is retro-fitting security. No one wants to know, "It's working? It's making money? Leave it alone then!" is the potted reply to most attempts to retro-fit security.
Most IT people do want to do a good job, will try their hardest but when gutless middle management are too shit scared of stepping out of line, nothing gets done. The "big white chief" will issue edicts and the middle managers drop their kecks and bed over the table and then the abused kick downwards onto the bods on the shop floor.
-
Wednesday 17th December 2014 12:12 GMT FlatSpot
Problem with a lot of IT people is they can't express Risk or a Business case to management.
Management are away from the coal face and don't have in-depth knowledge into every part of the business.
If you ask for £10k for a shiny new firewall because it will increase security, it means nothing to anyone. However if you put it in measurable terms, that you need £10k and it will enable some magic new feature that reduces the number of Critical and High attack vectors from 10 to 2, reduce the amount of time for a failover from 2mins to 10secs and increase capacity to enable the business to grow, then you may be more likely to get somewhere. (Not forgetting to add in the cost of not doing it.)
-
-
Wednesday 17th December 2014 08:54 GMT Anonymous Coward
considered an embarrassment to IT professionals everywhere.
If, Sony is like the large bank I work at, security is seen as an inconvenience to the traders getting their jobs done easier, so is ticked in the boxes submitted to the Auditors, but never actually implemented.
"Does your IT access policy include robust logon systems?" YES
if it asked "and are they implemented?" that would be a NO, but it is not one of the questions
-
Wednesday 17th December 2014 12:12 GMT Boris the Cockroach
Its the managements
fault
It happens everywhere when we get told "you cant have another seat at superwhizzy CAM software because it costs £5000/seat"
Only to be told the next day "The boss has just ordered a new carpet for the offices at £80/m^2... oh and have you done that 5 axis robot program yet?"
If you think that there are essential and non-essential business expenses, then you are a dumb ass, because ALL spending on the business is essential
-
-
Wednesday 17th December 2014 09:58 GMT pmb00cs
Hmmmm
"This won't take us down," he promised, the LA Times reports. "You should not be worried about the future of this studio. I am incredibly sorry that you've had to go through this."
And that there is part of the problem. A breach this large, exposing this much sensitive data, really ought to be unrecoverable. Sony have apparently had everything exposed, all the personal details of all their current and many of their past employees, and all their confidential business data. Either one of those being leaked at that scale should cripple a business, both, at the same time, should be a death knell for the Board.
-
Wednesday 17th December 2014 15:49 GMT Pascal Monett
Meanwhile . . . "hired a high-priced lawyer to threaten the press"
They didn't have enough money to implement proper security, but they sure as hell seem to have plenty when it comes to miserably failing to preserve what's left of their image.
They're the only ones who think there's anything left to preserve.
-
-
Wednesday 17th December 2014 10:11 GMT ElReg!comments!Pierre
What if movie studio loses? Big biz liable for big data blunders?
It's a bit shocking that it's not already the case. Big biz often asks (sometimes borderline illegally) for a whole lot of private -sometimes very private- information on you, most of which is completely unrelated to your job. I would think it is a bare minimum that they are held liable for leaks should they misplace such data. If they can't keep it secure, they should not ask for it. (in most cases they should not ask for it in any case to begin with, but high unemployment rates awaken the slave-trader instincts in HR bods)
-
Wednesday 17th December 2014 11:52 GMT Anonymous Coward
"It also hired a high-priced lawyer to threaten the press"
Had they hired real IT security experts, maybe they would have spent less and not found themselves in this mess.... but I guess when the tempest goes away, execs will congratulate themselves for the money spent in lawyers and will keep on not spending on IT security....
-
Wednesday 17th December 2014 12:55 GMT Stretch
Re: "It also hired a high-priced lawyer to threaten the press"
IT workers are a cost to be reduced or eliminated. That's their thinking. So many times I have seen it.
And, ofc, any IT worker with any skillset in any country can do any job just as well as a real experienced professional. That's how IT works, right?
-
Wednesday 17th December 2014 12:57 GMT John G Imrie
Re: "It also hired a high-priced lawyer to threaten the press"
They probably did hire real IT security experts.
However a demand that security is improved to his line manager, became a request to the middle manager which was talked over the water cooler with the senior manager and ended up as a request to mildly censure him to the Board.
-
-
Wednesday 17th December 2014 13:51 GMT Anonymous Coward
Information Security <> IT
A lot of comments about how management don't understand IT/Security but in my experience it's rare to find IT professionals with security knowledge outside their specific area.
That's not a dig at IT professionals, you all do a great job, but you wouldn't want a vet leading your local A&E. They might do an adequate job in the short term but it's not what they've been trained for.
If you want security expertise employ security professionals.
-
Wednesday 17th December 2014 13:52 GMT GeneralDisaster
12 years gone from the company, and they still have all his details...
what about the guy in the class action suite, 12 years left the company, but his personal data is still on file. under EU data protection legislation data can only be kept for as long as it is required. Why were they holding his personal information for so long? He should take them to the cleaners, he should have been purged from the systems years ago. How many of us could also be affected by companies that we used to work for? I know my old company never purged this from the HR systems either.
-
-
Thursday 18th December 2014 11:54 GMT batfastad
Re: 12 years gone from the company, and they still have all his details...
Err most companies need to keep ex-employee records for pension & tax purposes.
Fair enough. But why most and not all companies? What's the criteria that state whether a company does or does to keep these records on ex-employees?
I doubt that indefinite storage of ex-employee pension/tax records is a legal requirement, more of a "nice to have" from the company's perspective. And I'm not sure when "nice to have" trumps EU data protection.
-
-
-
Wednesday 17th December 2014 16:20 GMT Haro
Low Risk of Big Consequences
I mainly do earthquake risk, and this is sort of the same thing. Would you upgrade your building in California? Nobody expects anything to happen, and the government will fix it all anyway. IT risk should be insured, like earthquakes, and the more you do, the less the cost. But big trouble trying to quantify it.
-
Wednesday 17th December 2014 19:14 GMT Kriilin
Another part of this whole problem is the attitude of "A manager can manage anything, they don't need to really know the details, that's what their staff is for." I've seen it in my own job, the former CIO (female at that) who worked her way up from Assembler programming being replaced by a lapdog with a liberal arts background. Her problem is she illustrated some inconvenient facts.
-
Wednesday 17th December 2014 19:50 GMT Someone Else
Delicious irony?
It would be quite a hoot if the defendants in this case were to retain Boies, Schiller & Flexner LLP as their law firm. (This is the same firm that sent out threatening letters to various media outlets warning them not to publish any information about the hack, or else....)
-
Thursday 18th December 2014 12:01 GMT batfastad
Idiots
Is it just me who thinks it's insane to make a film about killing the current living premier of another country, even if you do think that country/premier is a joke?
If there was a film produced about the assassination of Obama, you would expect things to go very bomby (well, whingey) very quickly.