On November 24, 2014, a hacker group called the Guardians of Peace or GOP successfully attacked Sony Pictures Entertainment . The attackers obtained personally identifiable information about 47,000 current and former SPE employees and their dependents. These materials included numerous sensitive e-mails among top SPE executives concerning actors, financial deals, and creative disagreements; executive salaries; and complete copies of unreleased Sony films. The information included names, addresses, social security numbers, driver's license numbers, passport numbers, bank account information, credit card information used for corporate travel and expenses, usernames and passwords, and compensation and other employment-related information. The hackers claimed to have stolen more than 100 terabytes of data from SPE.

The GOP initially released the most damaging information over the Internet. This information consisted of digital copies of SPE films that had been released (e.g., Fury) or were yet to be released (e.g., Annie). In addition, the attackers announced they would continue to release more interesting SPE information.

Although the specific motives for the attack had not been revealed as of mid-2016, the hack has been linked to the planned release of the SPE film The Interview. In this movie, producers of a tabloid television show learn that North Korea's leader, Kim Jong Un, is a big fan of the show, and they set up an interview with him. While the show's team is preparing for the interview, the CIA recruits them to assassinate Kim Jong Un.

Prior to the Sony hack, North Korean officials had expressed concerns about the film to the United Nations. The officials stated that to allow the production and distribution of such a film on the assassination of an incumbent head of a sovereign state should be regarded as the most undisguised sponsoring of terrorism as well as an act of war.

On December 16, 2014, the GOP mentioned The Interview by name, and they threatened to take terrorist actions against the film's New York City premiere at Sunshine Cinema on December 18. The GOP also threatened similar actions on the film's America-wide release date of December 25 (Christmas).

On December 18, two messages allegedly from the GOP appeared. The first claimed that the GOP would not release any further information if SPE agreed not to release The Interview and to remove it completely from the Internet. The second stated that SPE had suffered enough and it could release the film, but only if Kim Jong Un's death scene was not too happy.

In the aftermath of the attack, the studio was forced to use fax machines, to communicate through hard-copy posted messages, and to pay its employees with paper checks. Employees worked with pen and paper, and shops located on Sony property accepted only cash.

The Law Enforcement Response

Meanwhile, the FBI launched an investigation into the incident. In 2014, the bureau announced it had connected the North Korean government to the attack. The FBI's statement was based on intelligence gathered during a 2010 U.S. hack of North Korea's networks. In that action, the United States had tracked the internal operations of North Korean computers and networks. North Korea responded to the charges by denying any responsibility for the hack. Although most of the speculation about the attack has focused on North Korea, the authorities are investigating alternative scenarios, including the possibility that an SPE employee or former employee was involved.

The Sony Response

As a result of the attack, SPE shut down its entire network on November 25, 2014, and pulled the theatrical release of The Interview on December 17. Two days later, President Obama labeled the attack as cybervandalism and not an act of war. He also charged that that Sony's decision to pull the film from release rather than defy the hackers was a mistake because the company appeared to have capitulated to the hackers' demands.

Following initial threats made towards theaters that showed The Interview, several cinema chains, including Carmike Cinemas, Bow Tie Cinemas, Regal Entertainment Group, AMC Theaters, and Cinemark Theaters, announced they would not screen the film. On December 23, 2014, SPE authorized 300 largely independent theaters to show the movie on Christmas Day. The following day SPE released The Interview to Google Play, Xbox Video, and YouTube.

Sony defended its decision to pull the film by claiming they were a blameless victim. Specifically, because the attackers came from a foreign government, they had far more resources to attack than Sony had to defend. Therefore, the studio concluded that the attack was unstoppable. Significantly, both the FBI and security company FireEye acknowledged that the malicious software used in the Sony hack was undetectable by industry standard antivirus software.

At the same time, however, Sony apparently failed to employ basic information security countermeasures. For example, the company's e-mail retention policy left up to seven years of old, unencrypted messages on company servers. Sony was using e-mail for long-term storage of business records, contracts, and documents it saved in case of litigation. Also, sensitive informationincluding user names and passwords for IT administratorswas stored in unencrypted spreadsheets and Word files with names such as Computer Passwords.

Sony has since implemented its secure rebuild information security strategy. The plan's fundamental idea is zero trust. Its objectives are to keep attackers from entering the company's networks, to prevent them from accessing information if they do get in, and to block them from stealing information if they actually manage to access it. Specifically:

Internet access will be tightly restricted. Sony will keep as little information as possible on its active network. The remainder will be stored securely, encrypted, and cut off from the Internet. E-mails will be archived after a few weeks. System administrators will have access only to areas required to do their jobs. Employees will be able to install only preapproved applications. All users must use two-step login (multifactor authentication) procedures. Firewalls will be placed on their most restrictive settings. The Results

Beginning on December 22, 2014, North Korea experienced an Internet failure, for which the government blamed the United States, identifying the disruptions as an attack in retaliation for the SPE hack. The U.S. government denied any role in the disruptions.

Interestingly, North Korea's only Internet connections run through servers in China. Therefore, China could interdict any hacking attempts originating in North Korea. However, China and the United States are embroiled in a dispute over bilateral hacking, so it does not seem likely that China will police North Korean hacking attempts.

The SPE attack had serious repercussions for Sony, for the U.S. government, and for every organization. Consider the damage to SPE. Analysts estimate that the costs of the attack could exceed $150 million. Such costs include business disruption, loss of information and revenue, decreased customer confidence, and many others. However, the damage done to SPE's reputation (via very sensitive e-mails) could be incalculable.

In fact, several former SPE employees are suing the company for failing to adequately protect their personal data. (SPE offered one year of free credit monitoring and fraud protection to current and former employees.) In July 2015, seven cases were consolidated into a proposed class action lawsuit in a Los Angeles federal court.

In October 2015, Sony agreed to pay up to $10,000 to each claimant for identity theft losses and up to $1,000 each to cover the cost of credit-fraud protection services in connection with the cyberattack. The total settlement was expected to cost Sony approximately $8 million.

The U.S. government is faced with a serious problem. By presidential directive, the U.S. military has the responsibility to help protect and defend the nation's critical infrastructure, such as its power grid, banking system, and communications networks. However, U.S. and international entertainment companies are not part of that infrastructure. The question is: If a foreign government is attacking U.S. corporations, what is the federal government's responsibility? A related question is: If the U.S. government had known of an impending cyberattack on SPE, why didn't the government warn SPE?

And the lessons to be learned? SPE's inability to protect its information from hackers serves as a reminder to corporations and individuals that if you are connected to the Internet, your information is simply not safe. Further, no one should commit anything on e-mail that he or she would not want to see on the front page of a newspaper. The likelihood of serious breaches is increasing, as is the damage these breaches can cause. Therefore, the time, effort, and money that organizations spend on information security needs to increase as well.

One final note: In February 2016, cybersecurity companies Kaspersky and Alienvault announced that they had found new evidence linking the SPE attack with ongoing malware attacks directed at South Korea. The security firms did not definitively specify where the attacks originated, but noted only that their evidence pointed to a group operating out of North Korea.

1.Was Sony's response to the breach adequate? Why or why not? 2.Should the U.S. government help private organizations that are attacked (or allegedly attacked) by foreign governments? Why or why not?