Why do hackers keep targeting Sony?

January 7, 2015, 12:00 PM UTC
Japan Cyber Crimes
FILE - In this June 13, 2013 file photo, attendees play video games on the PlayStation 4 at the Sony booth during the Electronic Entertainment Expo in Los Angeles. The boundary between the online and physical worlds got blurry last week when Sony’s PlayStation Network was disabled by an online attack, while an American Airlines passenger jet carrying a Sony executive was diverted due to a bomb threat on Twitter. Experts say that’s a wakeup call for a world still coming to grips with cybersecurity: What goes down online can be equally if not more disruptive in the real world. (AP Photo/Jae C. Hong, File)
Photograph by Jae C. Hong — AP

Sony Pictures is still picking up the pieces from the massive leak of internal memos and employee personal information (along with the release of several films to BitTorrent sites well before their theatrical releases) as a result of an attack by hackers that began in late November. And over Christmas, the PlayStation Network was inaccessible for the better part of four days due to a broad Denial of Service attack.

Watch more about Sony from Fortune’s video team:

Unfortunately, it’s familiar ground for the company. For more than 3 1/2 years, hackers have been targeting Sony. But why?

Although the hackers claiming responsibility for each of the attacks gave different reasons for targeting Sony, the company’s initial efforts to protect its property may have raised its profile, leading to disastrous consequences. “Tragedy can beget more tragedy,” says Andrew Borene, a former Marine intelligence officer and defense council member at the Truman National Security Project.

If Borene is right, then music CDs may be at the heart of Sony’s problems with hackers.

Between 2005 and 2007, Sony BMG Music Entertainment, a joint venture between the Sony Corporation of America (SNE) and Bertlesmann AG, included a copy protection rootkit on millions of music CDs. When a user inserted that CD into their computer, it modified the operating system to make copying a CD harder (among other things) in an effort to curb music piracy. Hackers (and many others) were outraged by the fact that the software was being uploaded to their machines without permission.

“[The rootkit] was designed specifically to identify copyright infringers,” says Hemu Nigam, founder of SSP Blue, an Internet security consultant business and former VP of internet enforcement at the MPAA. “That raised the ire of the hacking community and, in essence, put a target on Sony’s back.”

After an outcry, Sony halted production of the copy-protection scheme. Then the company pulled copy-protected CDs from store shelves and offered to replace customers’ infected CDs for free.

Reached by email, Sony officials declined to comment for this story.

Sony acquired Bertlesmann’s interest in 2008 and renamed the company Sony Music Entertainment, making it easier, among other things, to integrate its music into Sony’s PlayStation 3.

In 2011, hackers launched a massive attack on Sony’s PlayStation Network. At that point, I had been covering the video game industry since 1996, so the story — the theft of personal information from over 100 million consumer accounts — kept me busy for months.

The breach resulted in Congressional hearings, corporate hand-wringing, a number of failed lawsuits and, per Sony, $171 million in total costs.

What it didn’t result in was an arrest.

Later that year, the hacker group LulzSec penetrated the website of Sony Pictures, releasing a file containing personal information of over 1 million users of SonyPictures.com. The attack could have been worse, though: the seven-member group said in a statement at the time that it lacked the resources to copy all the information it discovered, as that likely would have taken weeks.

The group was eventually caught when one of its leaders cooperated with law enforcement officials as part of a plea deal.

So when the attacks resumed in 2014, there was a sense of deja vu for the company. The biggest difference, though, was the more shrouded motivation of the hackers. Federal officials accuse North Korea of orchestrating the intrusion of Sony Pictures by a group calling itself Guardians of Peace.

Several independent experts, including cybersecurity firm Norse Corp. and Mark Rasch, a former federal prosecutor and a principal at Rasch Technology and Cyberlaw — frustrated with the FBI’s unwillingness or inability to provide proof to support its allegation — have questioned whether disgruntled employees were responsible for the hack instead of the North Koreans, who have denied responsibility.

Ironically, the 2011 PlayStation Network hack might have been the end of things, says Nigam — except Sony, after closing the hole, publicly announced that it had fixed the problem — which the hacker community took as another red flag.

“Hackers love to play off of each other and each other’s successes,” he says. “If one opens a hole, another likes to attack and steal data, then a third will attack to show they can shut down the network. … It’s a series of unfortunate events.”

That could be bad news for other content giants, he says.

“The real question we should ask is: When will this happen to others, now that entertainment companies are more attractive targets?” says Nigam. “Any time a sector gets attention, it’s more vulnerable because hackers compete with each other. … All [entertainment and media companies] should absolutely be on high alert.”

Chris Morris is a freelance writer and editor, specializing in video games, consumer electronics and personal finance.