Armor plated steel doors. Motion detectors. State-of-the-art alarms. Multiple cross-directed laser virtual trip wires. These are enough to stymie most James Bond wannabes…unless the evil butler hands over or, more likely, sells the master key. Ongoing forensics has not yet determined exactly how the Sony network was penetrated.
The FBI has insisted that the cyber attack was perpetrated by North Korea. However, it is plausible and widely speculated that the breach began within Sony. Maybe someone with legitimate access gave away, sold, or had stolen from them (because they had used the same username and password on an unrelated insecure site)credentials with administrator privileges for the entire Sony network-the "master key." Once inside, the perpetrators were able to access everything on the Sony network. With such a widely cast net dragging indiscriminately for information, the damage left in the wake of this breach is diverse and considerable.
 Image courtesy of IMDB |
While the scale of the hack is enormous, some of its consequences are common, almost mundane selections from the post-breach playbook. For example, Sony employees-current and former-are filing lawsuits seeking damages because Sony allegedly failed to sufficiently protect their personal information. Such lawsuits are standard practice when personally identifiable information (PII) is compromised. After cyber criminals have gained unauthorized access to a company's records, affected employees and clients sue to compensate for losses and potential losses from the breach.
In all, almost one hundred terabytes of data were stolen. Much of it was in the form of unauthorized movie downloads that are being duplicated and moved through illegitimate Internet sites, resulting in lost revenue that is practically impossible to estimate accurately. Consider, for example, how difficult it is to track the pirated versions of films that were disseminated. Even if you were able to do so, you would then have to estimate how many consumers of the pirated (and presumably cheaper) versions of the films would have purchased them directly from Sony.
We come, finally, to the elephant in the room-Sony's initial (some would say knee-jerk) decision to cancel general release of the movie "The Interview" in response to anonymous threats to would-be moviegoers. How can one reliably estimate the losses sustained directly by Sony, along with those of the numerous cinema franchises that were prepared to show the movie this holiday season? If the movie had been pulled and was never shown, an estimate of the resulting losses must account for the uncollected revenues from box office ticket sales. To estimate that lost revenue, one needs to be able to rate the movie: would it have been a record-setting box office hit, or a dud? In the movie industry, that is a billion dollar distinction.
In response to criticism that it had buckled to the hacker's threats, Sony has since released the movie through a limited but growing number of channels, and revenue is being earned. But major damage has already been done and we don't know how it will affect the studio's bottom line.
