“An Epic Nightmare”

What came after the Sony breach.

Kim Jong-un with other North Korean officials in front of a computer
Kim Jong-un

This essay is adapted from You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches, by Josephine Wolff, published by MIT Press.

At first glance, the virus at Sony Pictures Entertainment appeared both amateurish—and confusing. When employees arrived at the studio’s Los Angeles headquarters the morning of Nov. 24, 2014, their computer desktops displayed a picture of a glowing red skeleton overlaid with an ambiguous, ungrammatical message: “Warning: We’ve already warned you, and this is just a beginning. We continue till our request be met. We’ve obtained all your internal data including your secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world.”

Now, four years later, the story of that breach is well-known—the massive public dumps of internal Sony documents, the many embarrassing news items that emerged from those files, the shady self-named “Guardians of Peace” group that took credit for the attack and blamed it on The Interview, an unflattering Sony comedy about North Korea that was at the time scheduled to be released Dec. 25. But as we approach the four-year anniversary of the intrusion, it has become increasingly clear that what was most unusual—and unprecedented—about the attack is its aftermath and the many ways that everyone from the United States government to Sony itself to its employees reacted to the incident in the weeks, months, and years that followed.

Less than a month after the Guardians of Peace made their presence in the Sony Pictures network known by wiping hundreds of the studio’s computers, the FBI announced that it had determined that the North Korean government was responsible for the incident.

You’ll See This Message When It Is Too Late book cover
MIT Press

The agency’s statement left little room for uncertainty or doubt, despite having had only four weeks to investigate the incident and never before having made such a public and unequivocal accusation against a foreign government for a computer crime directed at a private company. Something about this incident, the FBI indicated in its statement, was different—and required a sterner response. “Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart,” the agency said, adding that “North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves.”

The FBI’s decision to publicly denounce the North Korean government over the Sony breach was surprising, but the real shock came a few days later, on Dec. 22, 2014, when North Korea suddenly lost its access to the internet in an apparent distributed denial-of-service attack on the country’s limited number of routers. The incident followed closely on President Obama’s promise that the United States would “respond proportionally” to the Sony Pictures Entertainment breach and subsequent fearmongering by the intruders, including threats of violence that were never realized.

Although the U.S. government did not admit to taking North Korea offline, neither did it deny responsibility for the incident. A State Department spokesperson told reporters, “We aren’t going to discuss, you know, publicly operational details about the possible response options … as we implement our responses, some will be seen, some may not be seen.”

For the United States to respond in any way to a cybersecurity breach directed at a private company with something other than an indictment or routine law enforcement proceedings was unprecedented and, to many, alarming. The U.S. government’s intention appeared to be deterrence in sending a clear signal that anyone who came after a U.S. company would face the significant technical capabilities of the federal government by way of retribution. But by responding—or even just threatening to respond—in kind to a computer-security incident directed at a private company, the United States took a significant step toward blurring the line between the protection of industry and government networks.

Through its response to the Sony breach, the U.S. government not only opened the door for private companies to turn to them to avenge attackers; it also gave license to other governments to involve themselves in industry disputes and leverage their cyber arsenals on behalf of businesses within their borders. By entering the fray to retaliate on Sony’s behalf, the United States appeared ready to eliminate—or at the very least obscure—the distinctions between attacks on private companies and government institutions.

To some extent, those distinctions were already eroding, given how much internet infrastructure is operated by industry and how many systems critical for national security and stability are run by private companies. But for the government to lash out over a breach directed at a movie studio, rather than, for instance, a power plant or a hospital, suggested that the government considered its job not just to protect the nation’s critical infrastructure but also the reputation and digital resources of every major company within its borders.

The costs of the 2014 breach are difficult to tabulate. There was, presumably, some loss of revenue to the studio, but it is hard to say how much. Some movies and scripts had been leaked online by the GoP, but there was no way of knowing how that had impacted their box-office performance. The Christmas release of The Interview was canceled at many theaters, following threats by the Guardians of Peace in a Dec. 16 email that said:

Soon all the world will see what an awful movie Sony Pictures Entertainment has made.

The world will be full of fear. Remember the 11th of September 2001.

We recommend you to keep yourself distant from the places at that time. (If your house is nearby, you’d better leave.)

These threats may have motivated some of the active involvement of the U.S. government and appeared sufficiently credible to Sony Pictures to warrant pulling the movie. But The Interview was released online and shown in several independent theaters, earning more than $40 million in online sales and about $12 million in theaters. The online sales, at least, seemed to suggest that even in the age of massive and humiliating data breaches there might still be no such thing as bad publicity.

Meanwhile, the biggest embarrassments—and highest costs—of the breach, both for the studio and the individual employees who worked there, came from the wealth of emails, and personal information, including Social Security numbers and salary data, stolen from the studio’s systems.

A group of Sony Pictures employees filed a class-action suit against the studio to try to recoup some of their losses. “An epic nightmare, much better suited to a cinematic thriller than to real life, has been unfolding in slow motion for thousands of current and former employees of [Sony Pictures Entertainment],” they wrote in the suit, arguing that the breach was only possible because “SPE failed to maintain reasonable and adequate security measures to protect the employees’ information from access and disclosure.”

The plaintiffs described no fewer than 10 types of injury that had been imposed on them as a result of the breach, including the compromise and publication of their personal information, the out-of-pocket costs required for them to detect and recover from identity theft, the time and productivity they lost trying to protect themselves against identity theft, the possibility of tax fraud, and the “future costs in terms of time, effort, and money that will be expended to prevent and repair the impact of the data breach.” Sony was responsible for these losses, the plaintiffs argued, because of its lax computer security.

The company quickly filed a motion to have the lawsuit dismissed, and Judge R. Gary Klausner agreed to dismiss many—but not all—of the plaintiffs’ allegations. Klausner determined that the plaintiffs’ concerns about potential “future harms” that had not yet occurred were too speculative to support their claim for negligence. Similarly, he dismissed their claims about losing time to dealing with the breach’s fallout and losing the “value” of their personal information.

Klausner was more sympathetic, however, to the money the plaintiffs had spent on credit monitoring, password management, freezing and unfreezing their credit, and obtaining credit reports. After Klausner denied the motion to completely dismiss the suit, Sony settled the case for roughly $15 million in April 2016 and agreed to provide the plaintiffs with identity-protection services through the end of 2017, as well as a $2 million fund that could be used to reimburse the plaintiffs for preventive measures they took to protect themselves from identity theft in the aftermath of the breach. The settlement was, in some ways, a victory for the plaintiffs—who had managed to elicit protections often extended only to customers whose information was breached—but also a reminder of how narrowly courts viewed the harm inflicted by computer breaches in terms of direct financial losses.

Klausner’s partial dismissal of the plaintiffs’ allegations largely aligned with previous failed lawsuits trying to hold companies responsible for nonmonetary losses associated with data breaches. It reinforced the idea that, even in cases like Sony’s where much of the damage done by a breach did not necessarily take the form of financial fraud, financial losses were the only ones a court was likely to take seriously.

The dynamics between Sony Pictures and its employees in the aftermath of the breach have important implications for understanding how hard it is to protect all of the different parties affected by a public humiliation-motivated incident. For instance, one way to protect the corporate victims of such incidents might be to limit their financial liability so that it is harder for individuals to sue them, making breaches less likely to take a major financial toll on their resources and therefore less satisfying for perpetrators to undertake as a means of revenge. But limiting the losses imposed on a victim like Sony Pictures in this fashion, even if it did deter some would-be attackers, would also effectively increase the losses imposed on its individual employees, forcing a trade-off between who, of the different types of victims, deserves the greatest protection for which types of harm.

Focusing on the financial harms inflicted on Sony Pictures employees in the class-action suit had the benefit of implicating a fairly clear-cut set of mitigations that Sony could offer as part of the settlement, such as credit monitoring, identity theft insurance, and reimbursements for credit freezes. But while such mechanisms might help mitigate financial harm to Sony employees by flagging and restricting money flows to and from the perpetrators, the studio itself had no analogous strategy to turn to for containing the humiliating flood of its most sensitive information appearing online.

In the absence of a clear template for how to do ex-post mitigation for such a far-reaching and public-facing breach, Sony attempted to fight back against its attackers in two ways. The first was technical. When the company’s data began to appear online, the studio reportedly initiated a series of denial-of-service attacks directed at the sites that were hosting its stolen data and even went so far as to plant fake torrent files online. It hoped to misdirect users trying to find the stolen films and data to the fake files so that people who believed they were downloading the stolen information instead spent hours downloading empty files.

Whether or not the studio successfully managed to trick any users into downloading its planted, empty files instead of the actual stolen information, it was clearly unsuccessful in stemming the spread of the stolen information through media sources, which reported widely on the leaked data.

The studio also attempted a less technical set of legal efforts intended to try to stop its stolen information from spreading. These included filing takedown notices under the Digital Millennium Copyright Act to try to make websites remove postings of the studio’s copyrighted material, such as scripts and movies, as well as sending letters to news organizations demanding that they delete the stolen data and cease to report on its content.

In the letters, sent out in December 2014 to media outlets by high-power lawyer David Boies on Sony’s behalf, the studio threatened legal action if the recipients continued to publish the details of the breached information. “SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen Information,” the letter stated, ordering the recipient to destroy any of Sony’s data in its possession. “If you do not comply with this request, and the Stolen Information is used or disseminated by you in any manner, SPE will have no choice but to hold you responsible for any damage or loss arising from such use or dissemination by you,” the letter further threatened—a bold, if largely futile attempt on Sony’s part to find a new entity (or entities) on which to shift blame and liability for the breach.

Most press outlets appear to have ignored Boies’ letter, and there was ultimately little Sony Pictures could do to stop the further distribution of information after it had left the confines of its own computer systems. Trying to restrict what people can publish is of little value if all of the stolen data is still easily available online to anyone who wants to look for it. Similarly, making that data harder to find online is of little use if it is being constantly written about in the press. Therefore, limiting the accessibility of breached data and limiting its dissemination through the press and third-party websites—the two strategies attempted by Sony through legal and technical means—go hand in hand. Achieving one serves little purpose if the other is unsuccessful, and in Sony’s case it is not clear that either strategy met with much success.

For making a lasting impression on millions of people, there were few breaches that could touch the Sony incident in terms of sheer excitement and salacious detail. But beyond its value as a rich source of Hollywood gossip, the Sony breach was notable for two reasons: first, the involvement of the U.S. government on behalf of a private company and the government’s forceful response and assertions about the origins of the attack; and second, Sony’s aggressive if unsuccessful efforts to prevent the spread of the breached information online and in the media.

The hostilities that arose between Sony and its employees in the aftermath of the breach, as well as the tensions between Sony and media outlets reporting on the breach, highlighted the complex layers of victims, the different types of harm each of them suffered, and the lack of clarity around who was responsible for mitigating those harms. That these different stakeholders turned on each other in the aftermath of the breach was only to be expected, given their complicated relationships to each other and the incident itself. Meanwhile, the unprecedented convergence of public and private interests in claiming the attack was a sophisticated effort sponsored by a foreign government suggested just how intertwined government and industry cybersecurity interests had become, not just when it came to critical cyber infrastructure, but even when the stakes were as low as a silly movie.

Adapted excerpt from You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches by Josephine Wolff, © 2018 Massachusetts Institute of Technology.