Sony Pictures acknowledged that it was “investigating an IT matter” this week while the Internet lit up with a full range of speculation, confusion and derision as it appeared the massive media corporation may be grappling with its third high-profile security breach in three years.
This most recent hack remains shrouded in mystery, with news outlets merely regurgitating information found elsewhere, or citing anonymous “sources” who suggest it was an inside job or that the company was “paralyzed” by the event. Hackers calling themselves #GOP or “Guardians of the Peace” purportedly insisted that their demands be met (with no mention of what the actual demands were) or they would release all of Sony’s “secrets.” It was also unclear whether the secrets were personally identifiable information or the plot of the next James Bond movie.
The message to Sony, according to the website business2community.com, read:
Hacked By #GOP
Warning:
We’ve already wasned you, and this is just a beggining.
We continue till our request be met.
We’ve obtained all your Internal data, Including your secrets and top secrets.
If you don’t obey us, we’ll release data shown below to the world.
Determine what will you do till November the 24th, 11:00 PM (GMT).
The oddly worded and misspelled message also includes a series of links to ZIP files. This type of cyber extortion, if it is that, is not unheard of, but it’s definitely less common. It’s also, according to a recent study, not a particularly popular cyber insurance policy yet.
Details are sketchy from Sony, but security experts highlight this as an “unusual event.” One expert told Advisen, “What’s most interesting to me is the extended duration of this attack/outage which appears to be 2+ days now. Companies with the level sophistication as a Sony typically have safeguards in place to mitigate this type of an extended outage. Some of this appears that Sony might have taken their network off-line proactively while they are investigating the root cause.”
And Sony is no stranger to cyber risk.
A 2011 data breach and loss of personally identifiable information at Sony set the litigation stage for finding no defense or indemnity coverage under commercial general liability insurance policies, as the New York Supreme Court agreed with Sony’s insurers that the CGL policy doesn’t address data breaches and wouldn’t respond to the dozens of class action lawsuits that followed the data breach. The court determined that the policies didn’t apply to outside actions that resulted in the release of data – the policy would have require Sony itself to “commit the acts.” Much debate still surrounds this issue, and there’s been no word on whether Sony opted to pick up dedicated cyber insurance policies following the court ruling.
And, in August, Sony was hit by a distributed denial of service attack on its Playstation network stemming from a hacker or hackers known only as “Lizard Squad.”
Twitter responses to the alleged issues at Sony included fear, frustration, puzzlement and outright mocking that the company would again be hit by hackers – apparently not having learned the lesson of closely guarding its digital perimeter.
In any event, when a big company is hit hard, it prompts a ripple effect throughout industries faced with the same risks. In the case of cyber risk, that would be everyone, anywhere that maintains, collects, uses or stores data.
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
