The hackers, widely attributed to being working with North Korea, held the company to ransom for months, leaking terabytes of internal data from the company to journalists, including ’embarrassing’ correspondence, and throwing the entire studio into an IT black hole for days.
Months on and the repercussions are ongoing – last week WikiLeaks published the leaked data in full as a searchable online archive of over 30,287 documents and 173,132 emails.
The marketing secrets, gossipy emails about producers trashing actors, and hundreds of emails and documents showing the company’s cozy links with the US Democratic Party, reveal a tawdry world of movie making that Sony would rather was kept firmly behind closed doors.
But the document dump has been a revelation in more ways than one- as security expert Graham Cluley points out, they show that this public relations nightmare could’ve easily been avoided with old fashioned better password management.
Cluley quickly picked up on the poor password practices that many employees were engaged in from the fact that 1,100 of the 30,287 Sony Pictures documents in the WikiLeaks haul contain the word ‘password’.
The documents also pointed to further evidence of malpractice such as the use of very easy-to-guess admin passwords for systems on Sony’s servers, passwords of ‘password’ and passwords which were identical to the username.
‘These new revelations about the Sony Pictures breach again demonstrates that a single point of authentication – a password – is a poor choice for security teams looking to secure and govern their networks and data,’ he said.
For a long time now it’s been clear to most people that passwords are not fit for purpose in these types of use cases, Cluey argues. Passwords are continuously recycled and misused by users, and disclosures like this show the extent to which passwords and password policies are often poorly thought out and implemented.
The problem is that even the biggest multinational companies like Sony, still seem determined to rely on end users – the least-trained and least security-savvy individuals – to secure their data.
‘Clearly this strategy is failing,’ says Cluely. ‘Businesses need to stop putting the responsibility on the end user by allowing them to use inadequate passwords. The password as a single point of authentication remains a de-facto security control, but ultimately it’s a poor choice for achieving security for critical data and resources.’
‘Instead, the advent of smartphones has opened the door to the much more widespread use of multi-factor authentication methods whilst removing the need for expensive specialised hardware tokens. These developments will accelerate the adoption of advanced multi-factor authentication as a replacement for the password, making it more difficult for accounts to be breached.’