More like this

Security

'We're having panic attacks' ... Sony staff and families now threatened in emails

Join us or else say messages purportedly from GOP hackers

Hacker image

Sources within Sony Pictures have told The Register that employees received bizarre emails on Friday threatening them and their families if they don't take the side of hackers who raided the firm's corporate servers.

The hackers, working under the moniker Guardians of Peace or GOP, have spent the past week dumping onto file-sharing networks information taken from Sony's servers – including employees' home addresses, social security numbers for 47,000 people, health records, and salary details.

Unreleased movies, scripts, confidential sales negotiation documents, password lists, encryption keys, passport numbers, CVs, immigration documents, and much, much more have also been swiped and torrented. Gigabytes of sensitive information are being leaked – leaving staff, some celebrities and even minor royalty, open to identity theft.

Emails sent to staff on Friday claim to be from the head of the GOP, and warn that the hacking team plans to drive Sony Pictures out of business – and that they have only just started their campaign. The message – included below – threatens harm to staff and their families unless they show support for the GOP activities.

I am the head of GOP who made you worry.

Removing Sony Pictures on earth is a very tiny work for our group which is a worldwide organization. And what we have done so far is only a small part of our further plan. It’s your false if you if you think this crisis will be over after some time. All hope will leave you and Sony Pictures will collapse. This situation is only due to Sony Pictures. Sony Pictures is responsible for whatever the result is. Sony Pictues clings to what is good to nobody from the beginning. It’s silly to expect in Sony Pictures to take off us. Sony Pictures makes only useless efforts. One beside you can be our member.

Many things beyond imagination will happen at many places of the world. Our agents find themselves act in necessary places. Please sign your name to object the false of the company at the email address below if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.

Nobody can prevent us, but the only way is to follow our demand. If you want to prevent us, make your company behave wisely.

Of course, there's no way of knowing exactly who sent the emails – it's possible that the addresses of Sony staff have been harvested by a third party from the information already released, and miscreants are playing a sick joke. Sony has made the Feds aware of the messages.

A source close to the movie studio – best known for its Spider-Man and Men in Black flicks – told The Register staff were "having panic attacks."

Morale within the company has crashed, we're told, leading some workers to question if recent corporate cost-cutting had knackered the studio's IT security.

The movie giant has been through rounds of slashing and redundancies, partly to placate Sony's one-time largest private shareholder Daniel Loeb – who had described Sony's entertainment businesses as "poorly managed" and "characterized by a complete lack of accountability and poor financial controls."

At Loeb's insistence of a shakeup, consultancy firm Bain & Co was hired in 2013 to identify $100m in savings at Sony Pictures. This was on top of $250m in "overheard and procurement savings" the studio's CEO Michael Lynton had made that year after a string of box-office flops.

As a result of those spending cutbacks, we're told by sources, IT budgets were sharply reduced, finance functions were outsourced, and belts tightened in the theatrical and home entertainment departments. Some 800 people were made redundant between 2009 and 2013. Loeb sold off his Sony stock in October this year.

Whether or not the cost cutting dented Sony Pictures' abilities to defend itself from hackers, it seems from the leaked files that the biz employed 11 people – mostly managers – out of several thousand to maintain its computer security, according to ABC News' media blog Fusion. The size of the team and the fact that passwords were listed unencrypted in files named "passwords" is worrying to some.

"The real problem lies in the fact that there was no real investment in or real understanding of what information security is,” one anonymous ex-employee is quoted as saying.

According to CIO Magazine in 2007, auditors pointed out a year earlier that Sony Pictures had a crap approach to passwords and access controls, but the concerns were dismissed by Sony execs because requiring staff to memorize complex passwords was too much – "let them keep using their terrible passwords," in other words.

"We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything," Jason Spaltro, then an exec director and now vice-president of information security at Sony Pictures, told CIO.

"So, you make risk-based decisions: What’re the most important things that are absolutely required by law? [Sony takes] the protection of personal information very seriously and invests heavily in controls to protect it."

Meanwhile, Sony Pictures PR supremo – described as a crisis-management expert – quit the biz last month just days before the hackers struck, causing a crisis. Now that's some unfortunate timing. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016