The saga surrounding the unprecedented Sony Pictures Entertainment cyberattack has been going strong for three...
weeks with no end in sight.
But the focus is slowly shifting. Industry observers are increasingly speculating about whether Sony Corp.'s motion picture division will be able to survive and overcome the financial and reputational damage of what will likely become the most costly data breach of a U.S. company in history, beating out its own 2011 PlayStation Network attack that cost a reported $170 million, and last year's Target Corp. breach, which cost nearly $160 million.
It's been an eventful couple of days for Sony. First, an anonymous post on PasteBin purporting to be from the same Guardians of Peace hacking group that has taken credit for the cyberattacks against Sony Pictures threatened the safety of moviegoers for the planned Dec. 25 release of The Interview. Soon major theaters announced they would not show the film, which led to Sony Pictures' decision to postpone its release. Today the FBI confirmed that it has evidence that the government of North Korea is behind the attack, though few details have been disclosed beyond the FBI's statement, which revealed that known North Korean IP addresses were hard-coded into the malware used in the attack. And to make matters worse, cyber insurance may not cover Sony's losses.
The Sony hack may be the most damaging cyberattack ever on a US business. http://t.co/kNEnxxdpaA— Rebecca (@photographnz) December 18, 2014
The decision to not release The Interview (which many speculate was the ultimate goal of the cyberattackers) has caused a flurry of conversation around Sony Pictures' finances. Forbes reported that the movie cost $44 million to produce; Bloomberg estimated the cost of production and marketing for the film topped $80 million. However, profits of the unreleased movie aside, there are other issues that will cost the company up to a reported $200 million.
While Sony Pictures Chairman and CEO Michael Lynton and Co-Chairman Amy Pascal assured staff at separate meetings Monday that the company would recover from the attack, it is admittedly too early to put a price on the cost of the breach -- although the outlook seems bleak.
Sony facing ‘substantial loss’ on cancellation of 'The Interview' http://t.co/rJL9NoZglh - I am starting to doubt SPE will survive this.— Terence Donnelly (@terryd1) December 18, 2014
Following the release of salacious emails written by Sony Pictures' executives and others associated with the company, the image of the company's leadership is at stake. In addition, hackers leaked many of the company's trade secrets; its schedules, plans and contracts are out in the open for competitors to spy on. And since scripts of yet-to-be-released movies were posted online, future box office revenue may also be affected.
These costs don't even include the price of rebuilding the company's failed information security program, which many believe was a direct result of rounds of layoffs affecting its information technology staff in 2010 and earlier this year. And while only two class-action lawsuits have been filed against the company so far by former employees, more suits -- and legal costs -- are likely to follow.
Hard to quantify is the damage to Sony Pictures' reputation. Some are blaming the company for setting a bad precedent, putting the future of freedom of speech in jeopardy and "letting the hackers win." It's unclear whether going forward the company will be able to attract and retain talent, many of whom have not only been angered through the aforementioned emails, but may also question the company's trustworthiness and ability to keep their confidential information safe.
Dear Sony Hackers: now that u run Hollywood, I'd also like less romantic comedies, fewer Michael Bay movies and no more Transformers.— Michael Moore (@MMFlint) December 17, 2014
So will Sony Pictures be able to rebound? While the company is no stranger to data breaches, whether this will be the first data breach that effectively takes down a U.S. company remains to be seen, though it certainly is a possibility.
In other news
- The FBI published a confidential "flash" report warning U.S. businesses to be on "high alert" for Iranian hackers targeting companies including defense contractors, airlines, educational institutions and energy companies. The report detailed the malicious software and methodologies used by the hackers and offered mitigation strategies. The FBI wrote that the attacks thus far have typically been launched from two IP addresses. It also did not attribute the attacks to the Tehran government. Businesses that have experienced such attacks are requested to contact the FBI. The FBI warnings mirror those released by cybersecurity firm Cylance Inc. earlier this month about what it dubbed "Operation Cleaver" in which Cylance researchers uncovered information about Iranian attacks on 50 companies in 15 industries across 16 countries.
- In its latest bid to improve website security and boost the popularity of HTTPS, the Google Chrome Security Team has suggested this week that browsers should display a warning to users when an HTTP website is visited. Currently, popular browsers including Chrome, Firefox and Internet Explorer use a padlock to denote a secure website. Under the new plan, browsers will instead note when a website is insecure. The blog stated that "people do not generally perceive the absence of a warning sign," but they may react differently "when there is no chance of security: when the origin is transported via HTTP." The Chrome Security Team is looking for feedback on the proposed change and hopes to devise and deploy a transition plan in 2015.
- According to a blog post Tuesday by Symantec Corp. Senior Threat Analyst Engineer Jo Hurcombe, spammers are increasingly using malicious links in email to target victims rather than using downloadable attachments. Though the number of malicious links in spam email was relatively low over the past six months, Symantec Security Response recorded a 44% jump in the number of emails from October 2014 to November 2014. The team attributed the decrease in downloadable malware to the increased usage of email applications that scan for and block malicious attachments. The team also believes new malware variants -- including Trojan.Pandex, Downloader.Ponik and Download.Upatre -- are behind the increase in malicious-link malware.
Did Sony Pictures act ethically by hacking back?
How is the Sony Pictures hack unique?
Get advice on avoiding phishing attacks.