Sony Corp. was warned about a year ago that hackers had infiltrated its network and were stealing gigabytes of data several times a week, underscoring a pattern of lapses predating a recent attack that has spilled Sony Pictures’ secrets onto the Internet.
The hackers, who haven’t been identified, sifted in late 2013 through data from the company’s network, encrypted the information to cover their tracks and mined it on a regular schedule, said a person familiar with Sony’s investigation of the breach who asked not to be named because the findings are confidential.
The company’s cybersecurity problems date at least as far back as 2011, with a breach of Sony’s PlayStation video-game network.
In the most recent indication of Sony’s vulnerability, hackers since early December have been releasing sensitive information from the company’s Sony Pictures unit, including on salaries, employee health data and racially tinged e-mail banter over U.S. President Barack Obama’s taste in movies. Another leak showed that Sony Chief Executive Officer Kazuo Hirai approved a scene in the coming movie “The Interview” that depicted the fictional assassination of North Korean leader Kim Jong Un.
The extent of the breach last year was discovered by an outside contractor after Tokyo-based Sony found suspicious traffic on its corporate computers and requested an analysis, the person said.
The discovery was part of a companywide review of cybersecurity practices following the 2011 hack that extended for more than two years and which, while shoring up the security of some parts of the network, left holes remaining, four people familiar with the Japanese company’s investigations said.
Jennifer Clark, a Sony spokeswoman, said the company hired former Department of Homeland Security official Philip Reitinger in 2011 and under his leadership has since bolstered its information-security program.
“Sony is unfortunate,” said Rick Dakin, co-founder and CEO of Coalfire Systems Inc., a Louisville, Colorado, auditing and compliance-assessment company. “They are a two-time loser before they could right the ship. However, the wake-up call is for everyone else.”
Cybercriminals targeted Sony in 2011 after it sued a young researcher when he exposed security vulnerabilities in the PlayStation 3 console. And for the past month, the company has grappled with anger over “The Interview,” a comedy from its Hollywood film studio starring Seth Rogen and James Franco that is scheduled for release on Christmas Day.
Sony is conducting an internal probe that has linked the latest attack to a suspected North Korean hacking group known as DarkSeoul, according to two of the people familiar with the company’s investigation.
The three incidents over the last several years show that despite spending millions of dollars, Sony continued to struggle with flaws exposed by the 2011 breach -- which people familiar with the investigation said was deeper than the company has disclosed.
Sony has said the 2011 hack involved the theft of personal data on 77 million PlayStation Network users. But two of the people familiar with the incident said it also involved the loss of highly sensitive corporate data. That included keys to the PlayStation Network’s digital-rights management software, which Sony uses to fight piracy, and its user-authentication database, one of the people said. Those tools allowed hackers to steal video games, movies and music and sell copies on the black market, the two people said.
Even after discovering the thefts, Sony didn’t conduct an audit to determine how much content was stolen, one of the people said.
Clark, the Sony spokeswoman, said the company doesn’t discuss specifics but had no indication the 2011 breach went further than it previously said or that there was a subsequent increase in piracy.
Also, Sony at the time blamed the breach on the loosely organized Anonymous hacking group, which denied stealing data.
Investigators for Sony found that at least three hacking groups had infiltrated the PlayStation Network during that time, one of the people said. The group causing the most damage was a Russian ring that had been inside the network for two years, stealing and selling video games, the person said.
Sony significantly improved the security of the PlayStation Network after the breach but didn’t sufficiently address security issues elsewhere at the company, the people familiar with the investigations said.
Unlike banks and government agencies that are accustomed to deflecting high-level hacking attacks, Sony has been poorly prepared for the intrusions in part because its decentralized structure means security improvements in one division don’t necessarily translate to other units, the people familiar with the investigations and other security experts said.
A large corporate structure shouldn’t be a barrier to sharing security data, said Mike Davis, chief technology officer of CounterTack Inc., a security firm based in Santa Monica, California.
“Many large multinational companies with divisional structures have successfully defended or at least mitigated these types of attacks,” he said.
Sony could face a worse scenario over the coming months than it did after the 2011 breach, according to security experts who have studied the latest data leaked by hackers.
The files obtained in the latest intrusion contain sensitive information on almost every aspect of the company’s digital security, including instructions on how to access key databases and digital certificates meant to secure the Sony’s computers and data.
“This information is effectively like giving the world a child’s treasure map, a very simple dotted line to follow with a big red X that says, ‘Treasure Here,’” said Jody Brazil, founder and CEO of FireMon, a security firm based in Overland Park, Kansas.
“They are going to have a very, very difficult time insuring that any actions they take to clean this is going to have any lasting effect,” he said.