Following the Sony hacking scandal, in which thousands of documents from the company’s movie studio were exposed, an IT worker employed by a firm that has access to Sony’s computer network has described the company’s security as a “mess.”
“The security team has no f—ing clue,” the employee told Business Insider, speaking about the team’s unpreparedness for a cyberattack of this scale.
Our source told us that Sony’s security was “outdated and ineffective.” The person described Sony’s security policies as “idiotic” and cast doubt on Sony’s claim that it used industry-standard security software.
Sony Pictures CEO Michael Lynton sent a memo to staff in the days after the hack occurred. In the email, he quoted a security researcher from Mandiant who suggested that Sony couldn’t really have done anything to protect against the attack:
This attack is unprecedented in nature. The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organisations of this critical threat.
Our source described that letter as “pathetic,” a criticism that has been shared by many security researchers. Security researcher Adam Caudill told Mashable that Sony Pictures and Mandriant described the attack as “unprecedented” only to save face. Another expert, Adrian Sanabria, told Mashable that “you should definitely be able to detect somebody copying 40GB of data systematically.”
The employee who works with the Sony network said the company’s internal IT team was “terrible,” consisting of “incompetent people.”
We saw evidence of just how poor Sony’s security was in the files that hackers posted online. A series of documents stored in a folder named “Password” contained login information for administration accounts, social media accounts, and even SSL certificates. An SSL certificate digitally signs a web page to prove that it’s from that company.
Hackers used the passwords found in that folder to cause more damage, taking over Twitter accounts for Hollywood movies and using them to spread information about the hack.
The source close to Sony also said the company hadn’t learned from previous hacks.
In June 2011 the hacker group LulzSec, an offshoot from Anonymous, hacked into Sony Pictures. They said they obtained “usernames, passwords, email addresses, and dates of birth for thousands of people.” The group used a common tactic against Sony Pictures, using an SQL injection attack to gain access to the company’s computer network.
To our source’s knowledge, nobody from Sony’s computer security team was fired over that hack. That could mean that the same people who were meant to defend the company’s servers in 2011 are still presiding over its security.
We reached out to Sony for this story and will update if we hear back from them.