In the final months of 2014, Sony Pictures Entertainment (SPE)—a well-known entertainment company responsible for producing and distributing a myriad of famous movies—experienced a large-scale cyber incident. A foreign hacking group infiltrated SPE’s network via malware, compromising the company’s digital operations and accessing a wide range of sensitive employee data, private emails and upcoming films. The incident led to major disruptions, leaked information and significant controversy surrounding an upcoming movie premiere.

The Sony Pictures Entertainment hack—which was formally attributed to North Korea as an attempt to prevent SPE from releasing a political comedy film centered around assassinating the nation-state’s leader—has since become known as one of the worst cyber incidents in the entertainment industry’s history, showcasing the importance of safeguarding company data and intellectual property. In hindsight, organizations can learn various cybersecurity lessons by reviewing the details of this incident, its impact and the mistakes SPE made along the way.

The Details of the Sony Pictures Entertainment Hack

In June 2014, SPE released the first trailer for a comedy movie titled “The Interview” to the public, stating an October 2014 release date. The film’s plot focused on two Americans who run a popular talk show getting recruited by the Central Intelligence Agency to interview Kim Jong-un—North Korea’s political leader—and assassinate him in the process.

Sony Pictures Entertainment HackA few weeks after the trailer was released, North Korean officials voiced their disapproval of the movie’s subject matter. Specifically, North Korea’s United Nations ambassador claimed that distributing a film depicting Kim Jong-un’s assassination was “an act of war.” The ambassador then contacted U.S. President Barack Obama to request the cancellation of the movie’s release date. Amid the growing controversy surrounding the film’s distribution, SPE decided to delay the movie’s release and make a range of post- production adjustments—namely, modifying Kim Jong-un’s death scene to be less violent.

From there, the film’s distribution was rescheduled for Dec. 25, 2014.

On Nov. 24, 2014—approximately one month before the movie was set to be released—SPE’s network was compromised by a foreign hacking group known as the Guardians of Peace (GOP) via an advanced form of malware. This malware was able to evade SPE’s antivirus software and came equipped with a digital backdoor that allowed the cybercriminals to repeatedly enter the company’s network. Upon logging into their workplace devices that morning, SPE employees were met with a daunting message from the GOP. This message stated that the cybercriminals had stolen several terabytes of SPE’s sensitive data and intellectual property, wiped the original copies from all company technology and planned to release this information if SPE failed to meet their demands. Initially, the GOP demanded money in exchange for the restoration of SPE’s data.

At this time, SPE did not respond to the cybercriminals’ demands. But the company’s network was still largely compromised, causing them to shut it down temporarily. It took several days for IT professionals to repair SPE’s damaged technology, forcing employees to conduct tasks without their workplace devices and significantly disrupting digital operations. Employees had to resort to using old fax machines, issuing paper checks, writing on whiteboards and scheduling exclusively in-person meetings while the company’s network was down.

Even after SPE regained access to its network, the GOP maintained a hidden entry point through the malware’s digital backdoor. As a result, the cybercriminals proceeded to leak the company’s information to both the media and the general public over the next several days. This leak included thousands of current and past employees’ personal records (e.g., names, addresses, contact information, network credentials, Social Security numbers, insurance plans and salary data), as well as a variety of private emails between SPE employees and film executives. Further, the GOP posted five of SPE’s films on digital sharing sites—four of which hadn’t been released yet. Consequently, these movies were illegally downloaded millions of times. At this point, the GOP’s demands changed. In exchange for preventing further data leaks, the cybercriminals demanded that SPE cancel the distribution of “the movie of terrorism”—which was assumed to be referring to “The Interview.”

On Nov. 28, 2014, several media organizations released initial details regarding the ongoing hack to the public. During this time, the media began speculating whether North Korea was responsible for the incident. However, the nation-state denied involvement. Despite the leaked information, SPE pressed forward with its film release plans. That is, until Dec.16, 2014, when the GOP called out “The Interview” by name and used increasingly violent language to demand the film’s distribution be canceled. The cybercriminals’ message referenced the Sept. 11, 2001, terrorist attacks and threatened to cause physical harm at any theater that screened the film. This threat prompted the FBI to launch an official investigation of the incident and led SPE to cancel the movie’s release the following day.

Yet, on Dec. 19, 2014, the Obama administration claimed that shelving the film was a mistake and doing so would only reward the GOP’s unacceptable behavior. The U.S. Department of Homeland Security also confirmed that there was no evidence of any actual plot to cause harm at theaters planning to show the film. As such, SPE announced that it had reversed its decision on Dec. 23, 2014, and released the movie two days later to over 300 independent theaters that were willing to screen the film. Because many large theater chains still refused to show the movie, SPE also decided to release it during the opening weekend on several video-on-demand platforms, such as YouTube and Google Play. The GOP’s threats ceased following the movie’s distribution.

After completing its investigation of the incident, the FBI confirmed that North Korea was likely responsible, seeing as the malware’s code was written in Korean and the hackers’ IP addresses were traced back to the nation-state. Nevertheless, North Korea still denies being involved.

The Impact of the Sony Pictures Entertainment Hack

SPE faced several consequences following the large-scale incident. These include the following:

Recovery costs
SPE is estimated to have spent at least $35 million in the process of recovering from the hack, consisting of expenses related to informing impacted employees and U.S. authorities of the incident, hiring IT professionals to recover the company’s compromised technology, conducting an internal investigation of the hack and implementing improved cybersecurity measures to prevent future incidents.

Lost revenue
Apart from recovery costs, the incident likely contributed to reduced revenue for several of SPE’s film releases. First, the mixed distribution of “The Interview” between independent theaters and online platforms due to the hack somewhat diminished the movie’s box office success, seeing as SPE lost any revenue that would have been made from large theater chains screening the film. While the movie grossed $40 million in digital rentals, it only generated $12.3 million in box office ticket sales—representing a relatively small overall profit against a $44 million budget. In addition, the GOP’s leak of four other SPE films on digital sharing sites before their theatrical releases probably minimized those movies’ box office ticket sales, considering some individuals subsequently downloaded and viewed these films early (and for free).

Reputational damages
Following the incident, SPE faced widespread criticism. In terms of cybersecurity, the company experienced scrutiny for failing to utilize various measures that could have helped protect against the hack. Although IT experts confirmed that the GOP’s malware would have been difficult for even the most sophisticated companies to stop, SPE’s protocols for safeguarding its sensitive data, email systems and intellectual property were inadequate. The company’s valuable records were stored in poorly protected locations with obvious file names (e.g., “Computer Passwords”). Further, SPE’s company email settings allowed for up to seven years’ worth of messages to remain within the network, giving the GOP access to a plethora of communications. Regarding SPE’s overall reputation, the GOP’s leak of private emails painted the company badly on various fronts. Some of these emails disclosed the details of sensitive company matters (e.g., ongoing negotiations with other film studios), while other messages revealed offensive comments that SPE executives had made about members of the entertainment industry— including high-profile actors, producers and directors. These emails likely minimized SPE’s reliability across the entertainment industry.

Legal ramifications
Lastly, the incident carried numerous legal issues for SPE. Company employees whose records were exposed during the hack filed a class-action lawsuit against SPE, totaling nearly $8 million. This total includes $2.5 million to reimburse employees for potential identity theft concerns, $2 million to offer employees fraud protection services and $3.5 million in additional legal fees. The incident also motivated the Obama administration to update federal regulations to ensure that national officials better respond to cybercrimes involving international parties.

Lessons Learned from the Sony Pictures Entertainment Hack

Several cybersecurity takeaways can be gleaned from the SPE hack. Specifically, the incident emphasized these critical lessons:

Basic security measures can’t be ignored.
In the aftermath of the hack, SPE prioritized bolstering a range of their digital protection protocols, especially related to threat detection and email security. Many of these basic measures could have helped mitigate the damages that resulted from the incident. Simple security steps for all organizations to consider include:

  • Utilizing various forms of threat detection software (e.g., network monitoring systems, endpoint detection products and patch management tools) and updating this software on a routine basis
  • Installing email filters and firewalls to minimize cybercriminals’ access capabilities
  • Developing an effective email retention policy to ensure messages are deleted after an appropriate period of time (typically no more than three years)
  • Instructing employees to refrain from sharing sensitive data or discussing confidential company details over email

Sensitive data and intellectual property require proper safeguards.
One of SPE’s biggest downfalls related to the incident was failing to adequately protect its most sensitive data and intellectual property. There are many ways for organizations to keep such information better safeguarded, such as:

  • Storing sensitive data and intellectual property in safe and secure locations
  • Encrypting all confidential workplace records and giving them discreet file names
  • Restricting employees’ access to sensitive data and intellectual property on an as-needed basis
  • Requiring employees to utilize multi-factor authentication before accessing sensitive data or intellectual property
  • Segmenting workplace networks to prevent cybercriminals from gaining access to all sensitive data and intellectual property after infiltrating a single system or device
  • Conducting routine data backups in a secure, offline location

Cyber incident response plans are vital.
When SPE’s network was shut down, its employees struggled to cope and faced significant operational disruptions. This scenario highlighted the value of having a cyber incident response plan in place. This type of plan can help an organization establish timely response protocols for remaining operational and mitigating losses in the event of a cyber incident. A successful incident response plan should outline potential cyberattack scenarios, methods for maintaining key functions during these scenarios and the individuals responsible for doing so. It should be routinely reviewed through various activities—such as penetration testing and tabletop exercises—to ensure effectiveness and identify ongoing security gaps. Based on the results from these activities, the plan should be adjusted as needed.

Targeted, state-sponsored attacks must be considered.
Seeing as North Korea was likely responsible for this incident, it’s critical for organizations to be aware of the potential for future targeted attacks or other cyber-related losses stemming from political conflicts. Depending on their specific operations, organizations should evaluate their likelihood of being involved in incidents with foreign attackers and adjust their basic security measures, data protection protocols and cyber incident response plans as needed.

Proper coverage can provide much-needed protection.
Finally, this breach made it clear that no organization—not even a major entertainment company—is immune to cyber-related losses. That’s why it’s crucial to ensure adequate protection against potential cyber incidents by securing proper coverage. When securing such coverage, organizations must clearly understand key policy terminology and conditions, particularly as they relate to physical destruction and cyber warfare.

This may entail confirming whether the policy covers physical damage to technology amid cyber incidents (also known as bricking), as well as reviewing policy definitions for “cyber warfare” and “cyber terrorism” to better comprehend how coverage could assist in such circumstances. Organizations should work with trusted insurance professionals when evaluating their policies and navigating coverage decisions.

We can help.

In the unfortunate event that your business falls victim to a cyber attack, of any type, we can help you recover.

Cyber & Data Breach Liability coverages are developing on a daily basis as new threats emerge and new insurance companies enter the market.

Regardless of the type of business, one thing is certain, if you’re a business in operation today, you face cyber risks. Which means you need to thoroughly understand your risk of a loss, how you would respond if a loss did occur, and whether Cyber & Data Breach Liability coverage makes sense for you.

The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure. It’s important to work with an Insurance Advisor that can identify your areas of risk, and customize a policy to fit your unique situation.

If you’d like additional information and resources, we’re here to help you analyze your needs and make the right coverage decisions to protect your operations from unnecessary risk. You can download a free copy of our eBook, or if you’re ready make Cyber Liability Insurance a part of your insurance portfolio, Request a Proposal or download and get started on our Cyber & Data Breach Insurance Application and we’ll get to work for you.