Security

Why It’s Right To Report On The Sony Hack

Comment

Image Credits: elhombredenegro (opens in a new window) / Flickr (opens in a new window) under a CC BY 2.0 (opens in a new window) license.

“No one’s private life can totally withstand public scrutiny,” reads an NYT op-ed penned by screenwriter and playwright Aaron Sorkin, angrily blasting the media for reporting the private details revealed through the recent hack of Sony Pictures Entertainment, in what’s shaping up to be one of the largest corporate data breaches to date. “…Every news outlet that did the bidding of the [hacking group] Guardians of Peace is morally treasonous and spectacularly dishonorable,” he adds.

Meanwhile, Sony Pictures – blithely ignoring the First Amendment (and the Streisand effect) – has threatened legal action against journalists reporting on the findings from the stolen documents.

Sorkin and Sony are both wrong. Sony may be a victim, but there is data in the breach that’s worth reporting to the public – but not the social security numbers, private and personal information, or insider-y emails about films. That those things were stolen, however? Yes. Especially since former employees weren’t even being made aware of the situation.

In addition, one of the largest takeaways is for other corporations to react to Sony’s cautionary tale and beef up its own servers and security infrastructure.

Sony Tries Silencing Reporters

Sony’s hack was made worse by its poor security infrastructure, but that alone does not mean all the data needed to be revealed in detail by the press – if that’s Sorkin’s critique, it would be accurate. But he would rather none of the content be reported. That’s not correct.

One thing the world needs to understand immediately is that all information can be made public, and the only real privacy protection is that its exposure has yet to be targeted by determined hackers. Over the past several years, hackers have stolen consumers’ personal information and credit card numbers from some of the largest retailers. They’ve pulled nude photos off celebrity’s phones and from “private” messaging app Snapchat. Large companies like Adobe and eBay have seen emails and other personal account information stolen. And whistleblowers like Snowden have revealed the most private and devastating aspects of government spying agendas.

There is literally nothing that is above being exposed publicly if the right people are focused on a specific agenda. Sony did not take the necessary protections to mitigate against this level of damage.

The Sony hack was carried out by a group referring to itself as the “Guardians of Peace.” The group has demanded that Sony pull its upcoming movie “The Interview,” starring Seth Rogen and James Franco, which was based on a fictional plot to assassinate North Korean leader Kim Jong Un. The group has leaked a number of Sony movies online including the yet-to-be released remake of “Annie,” plus “Mr. Turner,” “Still Alice,” and “To Write Love on Her Arms,” alongside large data dumps from inside Sony’s corporate network.

The reaction, however, of hacking victims like Sony should not include tantrums like those now demonstrated by Sorkin and the studio itself. They should only offer apologies to employees, if they say anything at all. Apologies for making the hack just so damned easy, keeping some of the company’s most private information on its operations, its employees (and their families) in unencrypted Excel and Word files and carelessly shared emails. That’s not to blame the victims themselves, though – individuals make mistakes, but corporate IT policies are meant to protect those mistakes from becoming publicly shared data.

Sony Pictures, one of the U.S.’s largest studios, has now, somewhat ridiculously, asked journalists to destroy the stolen documents, and warned that those who didn’t comply will face further action, the company threatened via letters sent to a number of online and print publishers. “Sony Pictures Entertainment will have no choice but to hold you responsible for any damage or loss arising from such use or dissemination by you,” the letter states.

News media has reported on a number of these leaked emails, which have included private jabs, jokes and commentary, including a director referring to Hollywood star Angelina Jolie as a “spoiled brat,Sony’s botching of the Steve Jobs movie, and racist riffs between studio co-chairman Amy Pascal and producer Scott Rudin about what President Obama’s favorite movies might be.

One could argue that those sorts of details, as Sorkin claims, were exploited for pageviews more so than public good. That’s true in some cases. But that’s not looking at the bigger picture related to the media’s coverage of the hack.

Beyond providing fodder for gossip blogs, the Sony hack has also revealed serious information that’s arguably more serving of the “public interest.” (Hint: that’s what journalists are supposed to cover – a topic, incidentally, that Sorkin’s own show HBO’s “The Newsroom” has grappled with recently, when its reporters for a fictional news network resembling CNN landed a treasure trove of stolen Department of Defense documents.)

sony logo

What Was Worth Revealing?

The Sony hack has displayed a lot about the failing of our modern, wired corporate culture. Like just how casual internal company HR employees treat email communication, for example.

Email is not private; as a former IT worker, I could have accessed any inbox on my domain (and often did, though not for reading emails, but for legitimate reasons like backup, archiving, or transfer to a new hire). But more importantly, employees dealing with sensitive information seem not to understand that email is not a place where an HR employee needs to be detailing a child’s medical treatment, where that treatment is taking place, the child’s name, how the child was doing in treatment, and more.

Sony, and likely other organizations that are currently fortunate enough to not have their poor security policies exposed, also does not seem to understand that if you’re choosing to record Social Security numbers, birth dates and salaries in Excel spreadsheets, you should protect them with at least a minimum amount of security, by way of encryption. Or hell, even a password.

(That’s not to say the files couldn’t have still been hacked, but it would have made it that much harder.)

In addition, while the hackers may have accessed the files in question illegally, there are insights the files reveal that are worth sharing more broadly.

It’s worth informing the public that the studio’s upper management is 94 percent male, and 88 percent white (as Fusion reports) – making them less diverse than the much-lambasted tech companies whose recent barrage of diversity reports have revealed their tendencies toward monoculture, for instance.

Another key item that was revealed by journalists reporting on the Sony leak was that of Hollywood’s war against Google, which was code-named “Project Goliath” in email threads. As detailed by The Verge, lawyers from the MPAA and half a dozen major studios refer to “Goliath” as their biggest enemy in their battle with online piracy, and the Sony emails discuss a variety of tactics to fight “Goliath,” including site blocking, legal action involving state attorneys general, political lobbying, and more. Things like this (below), make the issue surrounding the ethics of reporting on the hacked content more complicated.

Writes The Verge:

“At the beginning of this year, the MPAA and six studios — Universal, Sony, Fox, Paramount, Warner Bros., and Disney — joined together to begin a new campaign against piracy on the web. A January 25th email lays out a series of legally and technically ambitious new tools, including new measures that would block infringing sites from reaching customers of many major ISPs Documents reviewed by The Verge detail the beginning of a new plan to attack piracy after the federal SOPA efforts failed by working with state attorneys general and major ISPs like Comcast to expand court power over the way data is served. If successful, the result would fundamentally alter the open nature of the internet.

attachment-1-1
Image credit, above: Fusion.net

Sony’s Emails Could Be Your Emails

Sorkin (and Sony) are fine to criticize reporters’ editorial choices. But Sorkin, in a nutshell, is wrong to say that reporting on the leaks is “spectacularly dishonorable” as a whole. And neither is he correct in thinking that the right to report should be shut down.

These leaks have contained thousands of Social Security numbers, personnel files containing employee salaries and severance costs, personal information on employees and execs including birth dates, and even health records for dozens of employees, their spouses and their children.

Responsible press is not pointing to the actual files in question, hosting them on their own sites, copy and pasting emails in full, or revealing specific personal details – like which employees had high medical bills, or which child’s medical claims were being denied. The media has reported, however, that is the kind of information these documents contain.

And it’s worth doing so: Sony’s emails could be your emails. They could be your company’s emails. Those could be your kids.

If an organization of Sony’s size is susceptible to hacking, anyone is.

In the aftermath, Sony has now hired FireEye Inc.’s Mandiant forensics unit to clean up this massive cyber attack, as the FBI investigates the incident. But the immediate damage has been done and the damage may continue for some time. Only a small number of documents have been revealed so far – the hackers reportedly captured over 100 terabytes of data.

Headlines about Hollywood actors or ego-damaging asides may draw pageviews (and may be in poor taste), but what’s not up for debate is whether journalists can report on illegally obtained files – they can, thanks to First Amendment protections.

Is there anything in the files that “can help, inform or protect anyone?,” asks Sorkin, mid-tirade.

Yes, as our above examples show. But also, more generally, that this happened, that this level of private data can be revealed, and that it can be revealed with ease can help us all. Let it serve as a warning to everyone from corporate IT to everyday consumers to protect ourselves…or risk becoming the next Sony.

More TechCrunch

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

2 days ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

2 days ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo