It’s been three weeks since Sony Pictures realized its computer network had suffered a serious security breach.
Frankly, it wasn’t hard for them to tell – a grisly skull appeared on computer screens, alongside a warning that the company’s internal data had been stolen and would be released to the public if the criminals’ demands were not met.
Since then the media has been having a field day, trawling through stolen emails and databases, releasing thousands of financial documents detailing the different salaries paid to rival movie stars and Sony executives, storyboards and scripts for future movies, and even private email conversations where senior staff passed their personal opinions of Angelina Jolie, or racially stereotyped Barack Obama as only liking movies starring black actors.
It’s all been pretty damaging to Sony Pictures. And the company seems to have had enough.
The New York Times reports that media outlets were sternly warned over the weekend to stop using the stolen information as a basis for news stories.
“SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the stolen information, and to request your co-operation in destroying the stolen information.”
Some will no doubt feel that Sony Pictures is guilty of shooting the messenger rather than dealing with the underlying security problem. And, yes, I’m sure that they are all too aware that they are trying to shut the stable door after the horse has bolted.
But that doesn’t mean that they aren’t within their rights – even in the form of a rather legalistic letter – to request media agencies stop making the consequences of a criminal act (the act) even worse for their corporation and some of their employees.
Meanwhile, others have argued that Sony is unlikely to successfully sue media outlets who publish the stolen documents, but that’s probably more a question for the courts to decide (if it comes to that) rather than within the scope of the Hot for Security blog.
What interests me more is not the legality, but whether the media is right to publish the tittle-tattle and internal secrets of a company that has been the victim of a criminal hack?
It’s arguable that if a company has been found breaking the law or misleading the public that there is a moral duty for the media to expose the wrongdoing – even if the truth has been exposed via hackers breaking into email accounts and stealing information. But no-one is suggesting that Sony Pictures has done anything like that.
The emails sent between Sony Pictures’ executives, and their opinion on Hollywood egos, might be juicy fodder for the tabloids – but it doesn’t make us as readers better people to have it shared with us.
The real story about the Sony Pictures hack that we should be reading is that the company’s security processes failed massively. And that should be a warning for all organisations not to smirk at Sony’s discomfort, but instead to ensure that their own systems are properly protected – because who knows if your firm will be the next in the hackers’ firing line?
What do you think? Should the press stop rifling through Sony Pictures’ private files, and concentrate on genuine security news instead? Leave a comment below.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024