Stolen Emails Reveal Lapses in Sony Security Practices

Advertisement
By Associated Press | Updated: 18 December 2014 11:43 IST
In the weeks before hackers broke into Sony Pictures Entertainment, the studio suffered significant technology outages it blamed on software flaws and incompetent technical staffers who weren't paying attention, even as hackers targeted executives to trick them into revealing their online credentials.

Its chief executive was regularly reminded in unsecure emails of his own secret passwords for his and his family's mail, banking, travel and shopping accounts, according to a review of more than 32,000 stolen corporate emails circulating on the Internet.

Scrutiny of Sony's stolen computer data hasn't yet revealed exactly how hackers managed to slip inside to steal such an enormous cache, when it happened, who was behind the theft or their motives.

Advertisement

But late Wednesday, a U.S. official told The Associated Press that federal investigators have now connected the Sony hack to North Korea. The official was not authorized to discuss an ongoing criminal case openly, and spoke on condition of anonymity.

Confirmation of the North Korean link came just after Sony cancelled plans for the December 25 release of "The Interview," which had been one of the hackers' public demands due to its depiction of the fictional assassination of North Korean leader Kim Jong-un.

The stolen files expose lax Internet security practices inside Sony such as pasting passwords into emails, using easy-to-guess passwords and failing to encrypt especially sensitive materials such as confidential salary and revenue figures, strategic plans and medical information about some employees. Experts say such haphazard practices are common across corporate America.

"Most people who say they're not doing that are lying," said Jon Callas, co-founder and chief technology officer for Silent Circle Inc., a global encrypted-communications service.

Advertisement

The emails show CEO Michael Lynton routinely received copies of his passwords in unsecure emails for his and his family's mail, banking, travel and shopping accounts, from his executive assistant, David Diamond. Other emails included photocopies of U.S. passports and driver's licenses and attachments with banking statements. The stolen files made clear that Diamond was deeply trusted to remember passwords for Lynton and his family and provide them whenever needed.

"I still need the password to your Amazon account," Diamond wrote to Lynton in August.

Advertisement

Sony spokeswoman Jean Guerin did not respond to a phone message left with an assistant in her office and email from The Associated Press on Wednesday.

In an October email, the company's chief financial officer, David C. Hendler, complained to Lynton that Sony Pictures had experienced months of "significant and repeated outages due to a lack of hardware capacity, running out of disk space, software patches that impacted the stability of the environment, poor system monitoring and an unskilled support team." Hendler also blamed a company rule that required employees to keep too many old emails.

Advertisement

"Sloppy, really sloppy," said Kevin Mitnick, a former hacker who served five years in federal prison and now runs Mitnick Security Consulting LLC. But Mitnick was quick to acknowledge that other top chief executives are "probably doing it, too." Companies can use password-management software, which can store dozens or hundreds of encrypted passwords to various accounts behind one protected password.

"It's pretty ordinary for CEOs and executive assistants to share confidential information by email," he said. "They feel that their email is secure and they have nothing to worry about."

The fact that Lynton regularly received emails with his passwords was particularly a problem for Sony because hackers who steal corporate data often will immediately search for the word "password" or a variation of the word across thousands of messages.

"If I'm trying to get credentials, that's the first search I'm going to run," said Mitnick, who is hired by companies to test their internal security.

The October email inside Sony, among tens of thousands of messages stolen in the crime, described specific software and hardware upgrades and plans to hire an outside consulting firm to improve the company's network, plus new rules to limit the amount of old emails that would be stored on servers. Lynton received it roughly three weeks before employees reported signs that hackers were rummaging inside Sony's computer network.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Amazon Prime Day 2026: Best Deals on Redmi and Xiaomi Smartphones
  2. Best Camera Phones Under Rs. 30,000 for Content Creators in India
  3. Best Gaming Laptops Under Rs. 80,000 in India
  4. Amazon Prime Day 2026: Top Deals on 65-inch Smart TVs
  5. Amazon Prime Day Laptop Deals: Best Discounts on HP, Asus, Lenovo and More
  6. Amazon Prime Day 2026: Best Deals on Soundbars From JBL, and More
  1. Amazon Prime Day 2026 Laptop Deals: Best Discounts on HP, Asus, Lenovo, Dell, Acer Models
  2. Best Camera Phones Under Rs. 30,000 for Content Creators in India: Motorola Edge 70 Fusion, Galaxy F56, More
  3. Boat Stone 900 Launched in India With Up to 80W Sound Output, Up to 15 Hours Audio Playback: Price, Features
  4. Cyberpunk 2077 Has Sold 40 Million Copies, CD Projekt Red Confirms
  5. Nothing Phone 1 Receives Final Software Update With Latest Security Patches, Bug Fixes and Improvements
  6. Nokia 235 4G (2026), 215 4G (2026) Launched Alongside Nokia 210 4G, and 200 4G With AI Assistant Button
  7. Samsung Galaxy S27 Ultra Battery Details Leaked; Could Top iPhone 18 Pro Max's Battery Capacity
  8. OnePlus Ace 7 Series Tipped to Feature 185Hz Display, 9,000mAh Battery
  9. WhatsApp Rolls Out Primary Device Support on iPad, Tests New Setup Screen for Android Tablets: Report
  10. Government Directs App Stores to Remove Malicious Apps Used to Disrupt E-Rickshaw Operations: Report
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.