The hacking attack that hobbled Sony Pictures Entertainment in recent days has left other Hollywood studios examining their own security measures.
Although no studio would say so publicly, at least three of Sony’s rivals said they were assessing and upgrading their own systems and protocols in the wake of the breach. However, there is a sense among the executives who spoke with Variety that the attacks on Sony were not a precursor to a wider assault on Hollywood companies.
The financial damage and the strain that the leaks have put on Sony’s operations should represent a wake-up call, security advisers tell Variety.
“You have to assume you will be compromised at some point,” said Tom Kellermann, chief cyber-security officer for data security firm Trend Micro. “You have to make it more difficult for people to steal your movies or steal your content.”
Kellerman recommends that Hollywood studios install breach-detection systems, intrusion prevention systems and data-loss prevention systems similar to ones used by financial institutions that deal with sensitive information, if they don’t already. Other experts suggested that studios collaborate more closely with each other and share information about threats and data-wiping malware they have observed.
In the case of Sony, much of the damage may already be done. Since the studio was hacked last week by a group calling itself “Guardians of Peace,” the salaries of top executives, the personal data and Social Security Numbers of 3,803 employees, and other sensitive internal documents have all seeped out online. Five of the studio’s films, including such unreleased titles as “Annie” and “Still Alice,” have also been released online and widely pirated.
Finding the culprit behind the attacks is a time-consuming process.
“It’s a six-month ordeal at minimum, and you’re looking at tens of millions of dollars in losses, and that’s not including and damage to your brand or possible lawsuits,” said Joe Loomis, CEO of online security firm CyberSponse. “On the forensic side, it’s a massive enterprise to interview all the parties involved. It’s like you’re walking into a black room and trying to paint a Monet.”
News reports have focused on the possible involvement of North Korea in the hacking attack. The country’s leaders are angry about the upcoming Sony release “The Interview,” a comedy with Seth Rogen and James Franco about a talk-show host recruited by the CIA to assassinate North Korean leader Kim Jong-un.
One security expert questioned the possibility that North Korea is involved, noting that it could create diplomatic incidents with Japan, where Sony is headquartered, and the U.S., where its film studio is based.
“To me, it looks like a combination of hackers on the outside working with somebody on the inside,” said Hemu Nigam, CEO of SSP Blue, an L.A.-based online-security consulting firm. “The personnel attacks that are happening (with the release of Sony Pictures’ internal data)… all suggest that someone internally has a vendetta against the company or is a disgruntled employee.”
Hacking and piracy are part of the new reality for studios. This year alone has seen films such as “Expendables 3” fall victim to rampant piracy potentially impacting its box office, along with the leak of high-profile trailers for films such as “Avengers: Age of Ultron” and a hack attack on the personal iPhone accounts of dozens of actresses such as Jennifer Lawrence and Selena Gomez. Sony’s attack may be the most damaging breach, but it’s hardly the only one.
“Most people think of information security as a game of cat and mouse that requires perpetual investments,” said Gerry Stegmaier, a Washington, D.C.-based cyber-security legal expert with the law firm Goodwin Procter.”You fix and repair one entrance and they just find a new way in.”
Todd Spangler contributed to this report.