On Nov. 24, 2016, it will be two years since the widely publicized Sony Pictures Entertainment cyber-attack. The group responsible identified themselves as the 'Guardians of Peace' (GOP), and released a bevy of sensitive information about films, salaries, and employees. Private conversations, medical information, and social security numbers were all leaked. What lessons can we learn from the Sony leak scandal and the associated release of The Interview?
The premise of The Interview was controversial from the get-go. The North Korean government demanded in June 2014 that distributor Columbia Pictures cease the release of The Interview. Columbia responded by editing the film, which still wasn't satisfactory afterward because of the portrayal of their leader, Kim Jong-un. On Nov. 24, 2014 confidential data from Sony Pictures Entertainment (parent company of Columbia Pictures) was released. The supposedly unrelated "Guardians of Peace" then proceeded to threaten to attack any cinemas that screened the film in any form - leading many major chains to opt out of showing the film entirely. Sony itself canceled the theatrical release of the film - though it was still released digitally and in limited independent locations.
The goal likely wasn't specifically to expose Sony's stolen information. What was stolen in the security breach was used as a trump card in order to force them to capitulate. Sony was hacked so that the "Guardians of Peace" would have leverage - blackmail, essentially. When Sony and Columbia didn't comply, the data was released. This is worth nothing because it's different from cases where the data itself is the point of the hack.
The GOP claims that it had first accessed Sony's information a year beforehand. If this is true, then it indicates that this data heist was planned well in advance. The global cyber security implications are that you can't expect hackers to announce their intentions or demands beforehand. Gaps existed in part because they didn't know they were a target until it was too late.
It's likely that even if the company had completely capitulated, the data would have been eventually released anyway - potentially after being used as blackmail for another later demand. When Sony decided to cancel the theatrical release of The Interview, President Obama was critical of the decision to do so. "If somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary they don't like, or news reports they don't like."
President Obama continues, "Even worse, imagine if producers and distributors and others start engaging in self-censorship because they don't want to offend the sensibilities of somebody whose sensibilities probably need to be offended."
We may never know for certain if the North Korean government was involved with the cyber-criminals responsible for hacking and releasing of Sony's data, and they've vehemently denied their involvement. The damage of this data breach directly led to Sony significantly improving their cyber-security measures to prevent further attacks, but the damage was done. This data breach reinforces the idea that we are the first gatekeepers of our own personal information.
When you entrust your personal and sensitive information to someone else, what control do you have over where it goes next?