By now, it's no secret that Sony sucks at cybersecurity. The company's movie business, Sony Pictures Entertainment, was recently hit with what may end up being the biggest corporate hack in history. It's not the first time Sony has laid claim to that title. And if history is any guide, it likely won't be the last.
You can trace Sony's unfortunate series of hacker run-ins all the way back to 2005. And when you do, you can see that it's not just that the company is bad at defending itself—its IT department has made alarmingly bad choices; it is also good at inviting trouble.
"Sony's been raising the ire of hackers for as long as I can remember, so you have to think that they've known they're a serious target," Chester Wisniewski, a senior security advisor at Sophos, told Gizmodo in an interview. "Sony represents all of the things they dislike." He added, "I'm not justifying what these people did. But they are kind of the perfect people to go after."
The ins and outs of the many cyberattacks on Sony properties in recent years—both why and how they've happened—are a fascinating look into what happens when hacker and corporate cultures and values collide. Let's dig in.
Sony was cool once. Remember the Discman? But then in the past decade or so, the company failed to adapt, clinging to an outmoded system in ways manifested poorly. The best example of how everything went wrong is the infamous Sony BMG copy protection rootkit scandal.
Back in 2005, when the music industry was flipping out about people burning CDs without paying for them, Sony's music division decided to get aggressive about digital rights management Sony BMG started including two pieces of basically malicious copy protection software with its CDs. The programs were actually rootkits that modified your computer's operating system so that you couldn't copy the CD.
The software did all kinds of other stuff, too. Bad stuff! One of the programs sent private data about your listening habits back to Sony servers, and the other took advantage of open source software in an apparent copyright violation. (How ironic.) The software would run constantly in the background, sucking up your computer's resources, and there was no easy way to uninstall it. Worst of all, the rootkits made your computer more vulnerable to cyber attacks. Over a period of two years, Sony BMG sold some 22 million CDs that included this software.
The ensuing scandal was huge—huge enough to attract attention from the Bush Administration. The FTC also got involved, and there were also several lawsuits that accused Sony of trading in malicious software and violating users' rights. Sony settled. Meanwhile, the whole debacle managed to piss off the hacker community. The rootkit scandal is arguably the Big Bang moment for Sony's cybersecurity troubles. Because once you piss off the hackers, they tend to stay pissed off.
The next several years were relatively quiet for Sony, at least in terms of cybersecurity mishaps. And then George Hotz, a.k.a. geohot, got sassy. As a 17-year-old high school student, Hotz had already gained notoriety as the first person to carrier-unlock an iPhone. On the heels of the attention he got for that hack, he announced in December 2009 that he was going to jailbreak the PlayStation 3. This would allow him to do things like run pirated versions of games. Within two months, he did jailbreak the PlayStation 3 and released the code to the public.
Sony was not happy. It released a firmware update to patch the exploit, though other hackers followed Hotz's lead and were ultimately able to run any software, including Linux, on a PlayStation 3. (The PlayStation 3 was originally lauded for its ability to run Linux, but Sony removed that ability after a hack in 2010.) In January 2011, Hotz released the console's root keys for further hacking fun.
Sony sued the heck out of Hotz and a number of other hackers. The company threw the book at them too, accusing the hackers of multiple counts of computer fraud and copyright infringement. Sony even got a judge to unmask the IP addresses of the people who visited Hotz's website.
If there's one thing hackers hate more than corporations sneaking malicious software onto the computers of paying customers, it's corporations going after their friends directly. Wisniewski zeroed in on this incident when we talked. "You've got all these freedom-loving, hacker-minded people who all have a reason to hate Sony," he reiterated.
Sony and Hotz settled out of court in April 2011, when Hotz agreed not to hack into Sony products any more. Then shit hit the fan.
As Sony was threatening to send George Hotz to jail in early April 2011, Anonymous mobilized in a massive way. The leaderless collective launched a campaign to bring down the PlayStation Network. The original warning to Sony read:
Your corrupt business practices are indicative of a corporate philosophy that would deny consumers the right to use products they have paid for and rightfully own, in the manner of their choosing. Perhaps you should alert your customers to the fact that they are apparently only renting your products? In light of this assault on both rights and free expression, Anonymous, the notoriously handsome rulers of the internet, would like to inform you that you have only been 'renting' your web domains. Having trodden upon Anonymous' rights, you must now be trodden on.
Anonymous took down the PlayStation Network within two weeks of its warning, and the network stayed down for 23 days. During that time, Anonymous also stole the personal details of some 77 million PlayStation accounts.
The attack ended up costing Sony at least $171 million. The hackers had sent a very clear message.
Following the Anonymous attack, Sony was absolutely inundated. By one security firm's count, there were 21 major incidents in the six months that followed the initial PlayStation Network outage. Some of these attacks were relatively harmless breaches on Sony's international websites. Perhaps due to the dirty DRM software incident, the hackers targeted Sony BMG and other music-related businesses more than others. Some the websites were defaced. Some were taken offline completely. Some data was stolen.
But some of the hacks that followed the historically devastating PlayStation Network bonanza were historically devastating in their own right. For instance, in June 2011, LulzSec broke into Sony Pictures servers and stole private information, including passwords and home addresses, of over 1,000,000 accounts. The hackers say that the data was easy to find and unencrypted. Passwords were just sitting there in plain text. If that sounds familiar, it's because the exact same thing just happened again.
The attacks just kept coming. By the end of the six-month string of hacks, Sony's stock price fell by nearly 40-percent. Some people thought it was an inside job since Sony apparently fired a slew of people from the department that's supposed to guard the company from cyberattacks just two weeks before the initial breach. It seems more likely, though, that they were just bad at their jobs.
Things calmed down for Sony in the years after the PlayStation Network debacle, so much so that you might've thought it had fixed its cybersecurity problems for good. The recent Sony Pictures hack is proof that it definitely has not. In fact, it may never.
Sony's problems seem to have two root causes. One, after a decade of tensions it's pretty much the hacker community's favorite punching bag. The CD DRM, the geohot incident; those have been seen as antagonizing moves to which the only response is mayhem.
But Sony's not just a frequent victim because the hackers are piling on. The other reason the company faces so much difficulty is that its best practices—as far as cybersecurity are concerned—don't seem to be any good. The company doesn't want to talk about it either. We reached out multiple times for comment, and Sony never got back to us.
Wiesniewsky watched Sony Pictures's war with LulzSec unfold in real time in 2011 and said he could believe how poorly the company reacted. A division in one country would get hit. Sony Pictures wouldn't change a thing to protect the rest of its interests, and then a week later, hackers would hit a division in another country with the exact same attack.
"The crooks were able to attack the same thing because Sony Pictures wasn't going out and fixing it," Wisniewski told Gizmodo. "It was quite astonishing." It was even more astonishing when hackers hit Sony Pictures again, and the company still hadn't secured it's network. "You shouldn't be able to gain access to one part of the network and get access to everything," the security expert explained.
But that's exactly what the so-called Guardians of Peace (GOP) hacker ring was just able to do. They've now shown that Sony left its entire network vulnerable to what appears to be a single breach. From that one break in, the hackers gained access to everything from human resources records to the private inboxes of the company's highest executives.
So why does Sony keep getting hacked? Because hackers love to hate it, and because Sony makes it easier than it should. And at this rate, neither of those things are going to change any time soon.
Illustration by Michael Hession / Shutterstock