Sony’s reputation has taken a bashing over the last few months after it was hit by two high-profile breaches. In October, the firm admitted that the personal details of 6,800 Sony Interactive Entertainment employees had been stolen from the MOVEit breaches perpetrated by ransomware attackers Cl0P.
Sony had already been investigating a September breach that saw now-defunct ransomware group RansomedVC claim to have compromised a server in Japan that held data on internal testing for its entertainment, technology and services arm.
The Sony brand is now associated with multiple hacks. In 2011, Sony confessed that the personal data of about 77 million people with accounts on its PlayStation Network had been stolen.
Sony was also famously breached in 2014, with North Korean hackers stealing information and demanding the firm cancel the film ‘The Interview’, which tells the story of two Americans who assassinate North Korean leader Kim Jong Un.
What can others learn from this?
It might seem obvious, but the 2023 incidents show how easy it is to be breached more than once. Sony isn’t the only organisation to be hacked multiple times, but it’s a reminder that it can and will happen, says Adam Pilton, cyber security consultant at CyberSmart.
In such cases, the damage to the company and affected individuals can be significant. According to independent security researcher Sean Wright, the MOVEit attack resulted in the disclosure of Sony employees’ personal data. “Attackers could leverage this type of information to carry out fraud using personal details, such as taking out loans in the victim’s name.”
The fall-out can also add up to significant costs, especially if attacks are multiple, says Tim Freestone, chief strategy and marketing officer at Kiteworks: “The consequences of the two breaches will be deep-reaching, including reputational damage from another cybersecurity failure; legal liability and costs for credit monitoring; higher cyber insurance premiums; and a potential loss of confidence in Sony’s security from its partners.”
Managing your reputation can be the difference between suffering recoverable damage from a cyber attack and surviving it. Experts agree that clear communication is critical, and Sony handled this pretty well.
“The notification letter sent out to those affected was well written and included an appropriate level of detail” Sean Wright
The firm has been open about what happened. “The notification letter sent out to those affected [by the MOVEit breach] was well written and included an appropriate level of detail,” Wright says. “This shows a commitment to being open and transparent, which Sony should be commended for.”
As soon as Sony discovered the unauthorised downloads indicating it was a victim of MOVEit, it immediately took the platform offline and launched an investigation with external cybersecurity experts, says Freestone. “It also notified law enforcement and offered credit monitoring to impacted individuals. It is good that Sony treated the breach seriously and communicated quickly and transparently.”
However, while Sony was unlucky enough to suffer two alleged attacks within months, both made the news, undeniably damaging the firm’s reputation. “Sony is now in a position where it’s at risk of association with being hacked and unable to secure its systems,” says Pilton. While he concedes Sony cannot change what has happened, “the firm must now ensure it engages in a full ‘lessons learnt’ process”, he says.
The official advice is not to pay the ransom, but it’s frequently ignored. This is despite the fact that firms, including Royal Mail, have succeeded in refusing to pay. Sony also apparently refused to pay the ransom, “no doubt having done its homework” on RansomedVC, says Phil Robinson, principal security consultant at Prism Infosec. “The group had previously listed a number of companies that have not paid as pending or cancelled,” he explains.
“The goal was to tempt victims to keep quiet and pay up” Phil Robinson
It is thought that some of the gang previously held administrator roles on breach websites selling data. Robinson adds that the group could take advantage of this and leak data that was already in the public domain to attempt to extort payment.
It might seem simple, but it helps to be aware that attackers can be creative in their methods in ransomware negotiations. Its criminal spree was short and has recently shut down. Still, Robinson says that RansomedVC previously targeted its ransomware demands to be less than the company would incur from a fine for breaching data protection regulations such as the EU General Data Protection Regulation (GDPR). “The goal was to tempt victims to keep quiet and pay up, but this is likely to be a less than successful tactic when the affected party has no assurance that they will get their data back.”
One of the ground rules of robust security is patching, but in this case, Sony couldn’t have prevented the MOVEit hack by doing so. “Sony learned of the existence of a vulnerability in MOVEit three days after it was attacked, meaning it was impossible for it to have prevented the attack through patching,” says Mark Stockley, a threat researcher at Malwarebytes.
Yet, while patching didn’t help this time, it’s still important to look out for security holes and ensure they’re fixed. “Make sure you pay attention to vendor security advisories and apply patches as soon as possible for infrastructure holding potentially sensitive information – especially if those vulnerabilities are critical,” Wright says.
Beyond just patching, implementing other basic controls and policies is at the heart of protecting all firms from cyber attacks. Pilton advises multi-factor authentication layers of security in addition to a password.
At the same time, ensure you effectively monitor your systems, says Wright. “If you notice any suspicious activity, ensure you put immediate protections in place.”
Training is also important. “People play a significant role in security: Ensuring they are trained and aware of the threats they face, as well as how to respond, will make a difference in preventing attacks and quickly identifying them,” says Pilton.
Most organisations will be breached at some point (hence the old ‘if not when’ adage you’ll have likely read time and time again), so it’s best to accept that and see it as a learning opportunity, experts advise. Sony is upping efforts to continuously monitor its systems, which could (and should) make a difference for the company. “It’s likely we’ll see the firm take a much more authoritative approach to ensuring it is cyber resilient,” says Jack Peters, customer solutions architect at M247.
“It’s likely we’ll see Sony take a much more authoritative approach to ensuring it is cyber resilient” Jack Peters
Peters sees the latest Sony breaches as an opportunity for other companies to learn. “Understand how this occurred in the first place and ensure your own systems and supply chains are secure and can’t be accessed by opportunists looking to exploit them”, he says.
Additionally, looking at how Sony has managed the fallout, he thinks organisations must ensure their own incident response plans are bulletproof “so they can take immediate and effective action should they be subject to a similar attack.”
Learning from incidents such as the Sony breach can help everyone prepare for future threats, says Freestone. He advises “proper cybersecurity hygiene, robust protective measures and a culture of security awareness” to ensure you stay safe and secure.
The final word is that it’s always a good idea to learn from breaches of other businesses to prevent your own from suffering the same fate. Sony is no exception: Make sure you don’t forget the basics while knowing that patching alone won’t save you. Communicate fully, manage your reputation and accept that breaches do happen; it’s how you handle them that counts.