← The Five Quadrants of Risk

Risk register · entry

Q1 · Predictable

2014 Sony Pictures hack

North Korea wiped a studio's computers to kill a Seth Rogen comedy about killing Kim Jong-un.

Documented, foreseeable risks that were ignored anyway. The failure is attention, not information.

Room
Q1 Predictable
Year
2014
Impact
100TB claimed
Sector
Film studio
Region
N. America
Category
Technological

Why this room

The assigned room turns on the exposure rather than the attacker, and on that basis it holds. Sony's control failures were documented and had already been penalised: the 2011 PlayStation Network compromise drew a monetary penalty from the UK Information Commissioner's Office on an explicit finding that the intrusion could have been prevented had software patches and password practice been current, and Sony Pictures' own information-security leadership had publicly framed under-investment in security as an accepted commercial risk. The company therefore entered 2014 carrying a known, previously sanctioned control gap, and the destructive intrusion exploited that standing condition rather than a novel one. That is the q1 pattern: the information existed and the attention did not follow it. See flags: the classification is contestable on the actor, which carries q2 characteristics.

The record

  • The attackers claimed to have taken more than 100 terabytes of data. This is an attacker CLAIM and has never been independently verified; the FBI's own statement contains no data-volume figure.medium
  • On 19 December 2014 the FBI concluded that the North Korean government was responsible, citing similarities in specific lines of code, encryption algorithms and data-deletion methods to known North Korean malware; overlap between the attack infrastructure and IP addresses previously linked to North Korea; and tool similarity to the March 2013 attacks on South Korean banks and media outlets.certain
  • The attack rendered thousands of Sony Pictures computers inoperable, forced the company to take its entire computer network offline, and significantly disrupted business operations (FBI's own characterisation).certain
  • 47,000 unique Social Security numbers were taken from the Sony Pictures network.high
  • Sony's prior breach: the 2011 PlayStation Network intrusion drew a £250,000 penalty from the UK Information Commissioner's Office, which concluded the attack could have been prevented had Sony applied current security patches and followed password best practice.certain

Sources

  1. Federal Bureau of Investigation (official statement, 19 December 2014, retrieved via Internet Archive)
  2. The Register
  3. Wikipedia (single corroborating source)
  4. Deadline

The book

This entry is one of 111 in the register. The full story, and what it cost the people who lived it, is in Risky Business by Claudia Zeisberger, David Munro and Joanna Reijgersberg-Siew.

Join the waiting list