Sony says the recent breach of its servers and weeklong cyber humiliation is an "unprecedented" strike and an "unparalleled crime." If they're shocked by these events, they've been shocked for almost a year: leaked emails obtained by Gawker show security troubles dating back to February.
In an email from February 12, 2014, VP of legal compliance Courtney Schaberg provides colleagues (including chief counsel Leah Weil) with a harbinger of awful info security practices (click "expand" to enlarge):
Schaberg notes that a "[Sony Pictures Entertainment] system may have been obtained by an unauthorized party, who then may have uploaded malware." Investigators say this is exactly the method used in this recent, grand release of proprietary documents. Under an hour later, Schaberg sends a followup, elaborating on the attack:
Crucially, Schaberg says that hackers snatched Brazilian corporate files via "SpiritWORLD," a corporate network the company uses to transfer data around the world. According to a project description on LinkedIn, SpiritWORLD's reach is pretty vast:
SpiritWORLD is a central system for distributing media across the world for Sony Picture.
The application handles the media distribution of 23 territories across the world.
SpiritWORLD manages media, Prints, Booking, Grosses & billings.
All functions like Managing master records, Media booking, grosses and generating different kind of reports are handled real-time.
The data SpiritWORLD handles is exactly the kind of data found in the first few rounds of leaks from hackers calling themselves Guardians of Peace earlier this month—a labyrinth of folders containing financial documents, grosses, media reports, etc. If GOP was behind the February hack, it would explain the strangely large number of documents in its data dumps that pertained to Sony's Brazilian markets or were written in Portuguese, possibly indicating Brazil as the origin. Other than these Brazilian documents, virtually all other documents refer to Sony's U.S. markets.
It's not proof that GOP has been successfully targeting Sony since February. But it also seems clear Sony was intent on keeping the Februrary hack covered up.
Regarding the reporter's contact to Sony, an article was published today on this topic. See link below. It does not mention Sony.
Our SOC found that the story has now been published and Sony is not mentioned. Of course, if the list is circulating, we could be.
Schaberg decides to stay silent on the matter, and because it's not mandated under Brazilian law, says Sony shouldn't alert anyone that their data was been compromised (emphasis added):
In terms of a notification obligation, Brazil does not have a breach notification law. Although the Brazilian Constitution, Civil Code, and Consumer Protection Code contain general provisions on privacy protection, and data subjects are entitled to indemnification for moral and material damages that result from a violation of their privacy, based on the facts known thus far I recommend against providing any notification to individuals given a) the lack of a notification requirement; b) the limited data fields involved; and c) the fact that notifying would not likely have much effect in terms of mitigating potential damages.
What line could sting more for a current Sony employee, whose passwords and social security numbers are now being traded like commodities, than "I recommend against providing any notification to individuals given"? The company was breached by outside attackers, and the most important thing for Sony was that their name wasn't attached—a search of Brazilian outlets still shows no results or disclosures of the theft.
Nine months later, after it's clear just how little they cared about their internal security, hundreds of gigabytes of Sony data is spread across the world by unnamed hackers—and now their name is the only one showing up in articles.