Sony's 'small' spend on breach remediation - but are Russians inside network too?

Sony Pictures Entertainment has spent around US$ 15m (£9.87m) on investigating and remediating last year's data breach, which saw hackers steal terabytes of data.

ICYMI: Sony passwords, government malware and the return of Poodle
ICYMI: Sony passwords, government malware and the return of Poodle

In its financial results forecast for the third quarter (Q3) in 2014 – which ended on December 31, the firm revealed that the cost of investigating and remediating the cyber-attack had come to around US$ 15m.

“The current quarter is expected to include approximately US$ 15 million (£10 million) in investigation and remediation costs relating to the above-mentioned cyber-attacks,” reads the report. A spokesperson later told Computerworld that this figure would likely be US$ 35 million (£23 million) for the full fiscal year.

Information security experts said that the cost of this clean-up work – some of which was carried out by FireEye's Mandiant – will have shown Sony bosses the financial impact from a data breach, although some could question how big a blow this is financially to a firm which reported US$ 21 billion (£13.8 billion) in sales and US$ 755 million (£496.5 million) in net income in the same quarter. For context, the breach works out at just 0.07 percent of Sony's total sales for that three-month period.

Brand reputation and loss of earnings from the cancelled film, The Interview, the controversial movie on an assassination plot to kill North Korean leader Kim Jong-Un, have also been cited as potential areas for financial damage. 

However, the latter has fared well on video-on-demand (VOD) services, earning up to US$40 million (£26.3 million), and is set to come to UK cinemas later this month. It is already showing in select US cinemas.

Phil Cracknell, head of privacy and security services at consultancy Company85, said in an email to SCMagazineUK.com that this is another example of how breaches can impact company margins, and also impact brand and sales reputation.

However, he admitted that the figure was a drop in the ocean, and one Sony could bounce back from, even if significant changes are made internally.

“Look at TK Maxx – it can withstand this type of thing, but if it were scrutinised, let's say by shareholders, it could be suggested that the decision makers (directors) who chose not to mitigate the risks were negligent in their duties and caused those losses.

“This clearly demonstrates that a public breach is likely to impact on-going operations, sales and profits as well as the added costs of remediation and investigation. When we total the sales losses with the remediation and investigation costs, the investment in the initial securing of the systems would have seemed trivial by comparison,” said Cracknell.

Chris McIntosh, CEO at ViaSat, added in an email to journalists that this was a ‘painful' lesson for Sony but said that money alone wouldn't fix the problem.

“Sony spending US$ 15 million on cyber-security shows that it has learned, however painfully, that data is more than ever most businesses' most valuable asset,” he said.

“However, money on its own won't help. Organisations such as Sony need to develop a clear strategy and approach to what they secure, and how they secure it. At an operational level, this means having both the right technology and the right education: the most expensive, hi-tech security solution is absolutely useless if employees don't know how to use it, or why it's so important in the first place.” 

Dave Palmer, director of technology at Darktrace, believes that people should look beyond the spending, and evaluate if Sony has now ensured that such attacks are unlikely in future.

“Clean-up and remediation is one thing, but what happens if this attack happens again tomorrow? The Sony board needs to be focused on stopping this kind of attack happening month after month,” he told SC.

“It is important to remember that the impact here is not just financial – this was a threatening attack against Sony's own employees, damaging internal morale, consumer confidence and the company's public reputation. 

Without an immune system approach to cyber-security, the company has no way of knowing if there are still threatening behaviours playing out within their network, or spotting them if and when they reappear.”  

Cracknell added that some business leaders are ignorant of data breaches, something he expects to change if mandatory data breach disclosure – part of the forthcoming EU Data Protection Regulation (DPR) – becomes reality on these shores.

“Mandatory breach disclosure would send a message to those who sit with fingers in ears and eyes tightly shut, but on the basis of the Sony financials, it would also save businesses huge amounts of money.”

Sony's finalised fiscal results for Q3 are to come out on 31 March. The firm said in the forecast that results for the quarter were “not impacted by the cyber-attack".

The Sony data breach is one of the biggest in recent history, with terabytes of data having been stolen and posted online, including personal details like social security numbers and financial records. Security experts remain split on the culprits however, with some blaming insiders while the FBI and others have pointed the finger at the North Korean government, which was said to be upset on Sony's involvement with The Interview.

Late news

Latest reports cited in Forbes suggest that there have been Russians inside the Sony network - who might have been the ones responsible for the hack - or who could have been there as well as the Guaridans of Peace hackers.

Forbes quotes Ukraine-based hacker, Jeffrey Carr, CEO of security firmTaia Global as saying he is“100 percent certain” the information was legitimate, and that it's highly likely the Russians are still on the Sony network. It confims that the details of the apparent breach came from Yama Tough, thought to be a previously-indicted online criminal, who was thrown out of the US having been imprisoned there.

Phishing is again suspected as being the entry route and in response to this latest development, Kevin Epstein, VP of Advanced Security and Governance at Proofpoint commented in an email to SC: "By leveraging the weakest link in the security chain – people – attackers have repeatedly proven their ability to circumvent perimeter security.  Modern defensive solutions include greater threat intelligence, information exchange across systems, and automated threat response. Such ‘Big Data' based systems also enable better threat actor attribution. Attack attribution clearly continues to be a significant challenge, as attackers mask their identity behind layers of geographically dispersed systems and intermediaries. Only by understanding the full set of characteristics in each attack can attribution – and hence better real-time defense – succeed.”

If it does prove that there were two or more sets of intruders on Sony's network, it will make it that much harder to hold North Korea alone to account for the attack.