Why Sony didn’t learn from its 2011 hack

December 24, 2014, 6:22 PM UTC
Sony Computer Entertainment CEO Kazuo Hirai 2011
Kazuo Hirai, then-CEO of Sony Computer Entertainment, pauses during a news conference in May 2011. Hirai is now CEO of Sony Corp.
Photograph by Tomohiro Ohsumi — Bloomberg/Getty Images

Long before Sony Pictures Entertainment revealed in November that it had been hacked by a group calling itself the Guardians of Peace, another division of Sony was attacked by cyber attackers.

Between April and May 2011, Sony Computer Entertainment’s online gaming service, PlayStation Network, and its streaming media service, Qriocity—plus Sony Online Entertainment, the company’s in-house game developer and publisher—were hacked by LulzSec, a splinter group of Anonymous, the hacker collective.

The online services were shut down between April 20 and May 15 as Sony attempted to secure the breach, which put the sensitive personal data for over 100 million customers at risk. The chief executive of Sony Computer Entertainment America at the time, Kazuo Hirai, wrote the following on the PlayStation blog:

We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer (CISO).

Hirai is now president and CEO of Sony.

Philip Reitinger was appointed CISO of Sony Corporation America in September 2011, shortly after that year’s breach. This September, he left Sony to start his own security consulting business, VisionSpear. John Scimone replaced him.

Globally, Sony has more than 140,000 employees and more than 100 subsidiaries. “Not only did Reitinger have his hands full,” says Gary S. Miliefsky, CEO of cyber security firm SnoopWall, “but some people say that his team could not manage all the corporate network ‘touch points.’ So there was no centralization of security events information management.” Reitinger’s departure this year also created a security leadership gap at Sony when the company needed it most, Miliefsky adds.

Sony Computer Entertainment and Sony Pictures Entertainment declined to comment.

Sony (SNE) learned a lot of painful lessons from the 2011 breach, says Lewis Ward, research director for gaming at the market research firm IDC. The company reported a hard cost of $171 million, but Ward estimates that the hack ended up costing Sony more than $250 million through the end of 2012 as it worked to clean up the mess and reinforce its defenses. “On the gaming side, nothing like the PlayStation Network attack had happened before, or has happened since,” he says. “It was unprecedented in gaming.”

Sony and Microsoft (MSFT) have experienced smaller breaches of their online gaming networks since 2011, including another PlayStation Network attack in October 2011 and a PlayStation Store attack earlier this month. But the April 2011 attack stands alone for its size and scope.

That’s because the PlayStation Network suffered multiple kinds of attacks, Miliefsky says. One was a classic data breach—the release of otherwise secure information. The second was a distributed denial-of-service attack, or DDoS, that left the network inaccessible to gamers. Sony has since improved its stance against both attack types—for example, it’s now a strong partner of Amazon Web Services, the dominant cloud computing player, improving its odds against a DDoS—and Hirai has improved collaboration across Sony’s many divisions since taking the company’s top job.

But there’s one major factor that prevented Sony from better using those 2011 lessons in 2014: organizational structure. The company has long had a reputation for operating in silos, says Michael Pachter, a video game analyst at Wedbush Securities, and no silo is more isolated than Sony Pictures Entertainment. “It’s the [Sony] movie guys who don’t talk to anybody,” Pachter says. “They learned nothing from the PlayStation Network breach. I don’t know the movie guys, but the game people have been very friendly and open-minded and would love to work with the Sony movie guys.”

This type of corporate structure is hardly limited to Sony, but it helps explain why such a challenging period in 2011 didn’t better prepare the company to avoid a similar scenario in 2014. “Most organizations are in silos,” says Tim Eades, CEO of the security company vArmour. “They need better sharing and collaboration solution in security between their divisions and their supply chain. If Sony had that, it would have been stronger.”

The problem? Sony didn’t address its organizational issues fast enough after the 2011 hack, Miliesky says. “From that moment on, their CIO should have implemented corporate-wide protection measures and beefed up info-sec training for employees that would be standardized across the organization,” he says. “The tools and techniques they decided to use to protect the public-facing PlayStation Network was a reactive approach—’We were attacked at point X by Y, so let’s defend point X with tools to stop successful exploitation by these kinds of Y attacks.’ It was completely reactive, not proactive.”

It’s a particularly knotty issue for a company as large as Sony. “The attack surface that Sony has is vast and requires significant investment and, unfortunately, time to deploy,” Eades says.

The email correspondence that leaked in the wake of the recent hack showed that Sony Pictures Entertainment may have been operating without adequate protection against phishing attacks, remote-access Trojans, password management policies, proper use of encryption, data storage, and backups, Miliesky says.

“Ultimately, SPE was wide open,” Miliesky says. “They probably had a firewall and antivirus and told their CISO ‘everything is safe and secure over here,” if that conversation even happened. A proper inventory control, vulnerability assessment, and employee training at SPE would have revealed much to the CISO.”

Sony has improved its internal coordination, thanks to both Hirai’s leadership and the return of Andrew House as president and Group CEO of Sony Computer Entertainment, Pachter says. For example, Sony Pictures Television is currently filming the original live action television series, Powers, for the PlayStation Network. But the budding synergy between divisions wasn’t enough to stop the most recent cyber attack against Sony, says P.J. McNealy, CEO of the market research firm Digital World Research.

In 2011, Sony Computer Entertainment worked hard to win back the trust of its gaming customers, and today it leads both Microsoft and Nintendo in the gaming console market with its PlayStation 4. “Consumers are quick to forgive on this front because at the end of the day it’s an entertainment product,” McNealy says. “I was surprised at how quickly the user numbers spiked back after the patch was fixed and the network went back online [in May 2011]. Consumers are accepting that this is the new world we live in, where hacks take place.”

Experts agree that while Sony’s reputation is suffering in the wake of the most recent attack, it is hardly the only company at risk from such issues.

“Can any corporation really firewall itself to be invulnerable to attacks today?” McNealy asked. “We’ve now seen hackers breach major corporations and major retailers. Everyone’s a target for hackers. There’s been a real shift in the hacking community from unleashing viruses through emails on select holidays to attract headlines 10 years ago, to trying to grab personal data and information.”

Joseph Demarest, assistant director of the cyber division of the Federal Bureau of Investigation, earlier this month declared to members of Congress that 90% of businesses could not have stopped the Sony Pictures Entertainment attack.

“I agree with that number,” Miliefsky says. “But the real issue is today’s security posture and employee training. The biggest weakness at Sony Pictures Entertainment was the employees. If you can’t train them to behave better, then what can you expect but another successful breach?”