Sony’s IT security is a ‘joke,’ say former employees

Password Hack Illustration

The hack is over—but the company’s woes have just begun.

As researchers and media organisations continue to dig through the mammoth quantities of highly-sensitive internal company documents released after an unprecedented hack on Sony Pictures, serious questions are being raised about the Hollywood studio’s security procedures—with one former employee describing the “information security team” as a “complete joke.”

Gawker is reporting that within the terabytes of information leaked, thousands of passwords were stored in plaintext, with no attempt made to encrypt them. One file was helpfully named “Master_Password_Sheet.” 

The nature of the passwords vary from the personal to the corporate—which may explain how the hackers, an anonymous group going by the moniker “Guardians of Peace,” was able to gain access to Sony-related social media accounts.

Some of these passwords are “tied to financial accounts like American Express,” or are attached to personal employee details.

Others were saved in a plain sight, in a folder named “Password,” BuzzFeed reports, and include logins for pricey subscriptions news services including Bloomberg and Lexis/Nexis.

“It’s pretty common, I’ve seen, for large non-progressive organisations… to have precariously old ways of thinking,” a security expert told Gawker, “like that ‘their firewall will save them.’”

Meanwhile, a former Sony employee has spoken scathingly about the company’s security. 

“Sony’s ‘information security team’ is a complete joke,” they told Fusion. “We’d report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network’s website and was collecting personally identifying information without encrypting it.”

In another incident, “a hack of our file server about a year ago turned out to be another employee who left himself logged into the network (and our file server) in a cafe.”

“The real problem lies in the fact that there was no real investment in or understanding of what information security is,” said another former employee.

The data released in the hack—which is around a hundred terabytes in size—includes tens of thousands of social security numbers, personal addresses, detailed medical information and dates of birth for those on the Sony payroll, as well as screeners for upcoming films.

It’s not yet clear who is behind the attack: There’s media speculation that North Korea is behind the Guardians of Peace (#GOP), although the authoritarian state has since denied involvement.

Sony isn’t the only company who’s security credentials may be called into question over the hack. Deloitte has also suffered the leak of thousands of employees’ details due to a former employee keeping the files—which as the New York Times points out, is excruciatingly embarrassing for a company that “aggressively [markets] its digital threat intelligence services and has been providing advice to corporations about how to protect data from employee leaks.”

H/T Gawker | Illustration by Rob Price

Rob Price

Rob Price

Rob Price is a technology and politics reporter who served as the U.K.-based morning editor for the Daily Dot until 2014. He now works as the news editor for Business Insider, and his work has appeared in Vice, Slate, the Washington Post, and the Independent.