Risk register · entry
Q1 · Predictable2014 Sony Pictures hack
North Korea wiped a studio's computers to kill a Seth Rogen comedy about killing Kim Jong-un.
Documented, foreseeable risks that were ignored anyway. The failure is attention, not information.
Why this room
The assigned room turns on the exposure rather than the attacker, and on that basis it holds. Sony's control failures were documented and had already been penalised: the 2011 PlayStation Network compromise drew a monetary penalty from the UK Information Commissioner's Office on an explicit finding that the intrusion could have been prevented had software patches and password practice been current, and Sony Pictures' own information-security leadership had publicly framed under-investment in security as an accepted commercial risk. The company therefore entered 2014 carrying a known, previously sanctioned control gap, and the destructive intrusion exploited that standing condition rather than a novel one. That is the q1 pattern: the information existed and the attention did not follow it. See flags: the classification is contestable on the actor, which carries q2 characteristics.
The record
- The attackers claimed to have taken more than 100 terabytes of data. This is an attacker CLAIM and has never been independently verified; the FBI's own statement contains no data-volume figure.medium
- On 19 December 2014 the FBI concluded that the North Korean government was responsible, citing similarities in specific lines of code, encryption algorithms and data-deletion methods to known North Korean malware; overlap between the attack infrastructure and IP addresses previously linked to North Korea; and tool similarity to the March 2013 attacks on South Korean banks and media outlets.certain
- The attack rendered thousands of Sony Pictures computers inoperable, forced the company to take its entire computer network offline, and significantly disrupted business operations (FBI's own characterisation).certain
- 47,000 unique Social Security numbers were taken from the Sony Pictures network.high
- Sony's prior breach: the 2011 PlayStation Network intrusion drew a £250,000 penalty from the UK Information Commissioner's Office, which concluded the attack could have been prevented had Sony applied current security patches and followed password best practice.certain
Sources
The book
This entry is one of 111 in the register. The full story, and what it cost the people who lived it, is in Risky Business by Claudia Zeisberger, David Munro and Joanna Reijgersberg-Siew.
Join the waiting list