Industry News

Sony Pictures wants the media to stop publishing private information stolen by hackers

It’s been three weeks since Sony Pictures realized its computer network had suffered a serious security breach.

Frankly, it wasn’t hard for them to tell – a grisly skull appeared on computer screens, alongside a warning that the company’s internal data had been stolen and would be released to the public if the criminals’ demands were not met.

sony-gop-600

Since then the media has been having a field day, trawling through stolen emails and databases, releasing thousands of financial documents detailing the different salaries paid to rival movie stars and Sony executives, storyboards and scripts for future movies, and even private email conversations where senior staff passed their personal opinions of Angelina Jolie, or racially stereotyped Barack Obama as only liking movies starring black actors.

It’s all been pretty damaging to Sony Pictures. And the company seems to have had enough.

The New York Times reports that media outlets were sternly warned over the weekend to stop using the stolen information as a basis for news stories.

sony-letter

“SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the stolen information, and to request your co-operation in destroying the stolen information.”

Some will no doubt feel that Sony Pictures is guilty of shooting the messenger rather than dealing with the underlying security problem. And, yes, I’m sure that they are all too aware that they are trying to shut the stable door after the horse has bolted.

But that doesn’t mean that they aren’t within their rights – even in the form of a rather legalistic letter – to request media agencies stop making the consequences of a criminal act (the act) even worse for their corporation and some of their employees.

Meanwhile, others have argued that Sony is unlikely to successfully sue media outlets who publish the stolen documents, but that’s probably more a question for the courts to decide (if it comes to that) rather than within the scope of the Hot for Security blog.

What interests me more is not the legality, but whether the media is right to publish the tittle-tattle and internal secrets of a company that has been the victim of a criminal hack?

It’s arguable that if a company has been found breaking the law or misleading the public that there is a moral duty for the media to expose the wrongdoing – even if the truth has been exposed via hackers breaking into email accounts and stealing information. But no-one is suggesting that Sony Pictures has done anything like that.

The emails sent between Sony Pictures’ executives, and their opinion on Hollywood egos, might be juicy fodder for the tabloids – but it doesn’t make us as readers better people to have it shared with us.

The real story about the Sony Pictures hack that we should be reading is that the company’s security processes failed massively. And that should be a warning for all organisations not to smirk at Sony’s discomfort, but instead to ensure that their own systems are properly protected – because who knows if your firm will be the next in the hackers’ firing line?

What do you think? Should the press stop rifling through Sony Pictures’ private files, and concentrate on genuine security news instead? Leave a comment below.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

11 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • “It’s arguable that if a company has been found breaking the law or misleading the public that there is a moral duty for the media to expose the wrongdoing – even if the truth has been exposed via hackers breaking into email accounts and stealing information. But no-one is suggesting that Sony Pictures has done anything like that.”

    So that’s the thing. Agree on the former part. But I see no problem on exposing what they did wrong if it helps others (with a cation as hopefully I’ll explain my view well enough by end of my response). The mail from… was it the CEO of ? … Sony was, firstly, at some point made public and once public there isn’t much to make it private. And if it allows for any learning then I don’t see the problem. If however, there are corporate secrets that were given to (but not made public – key point) a news outlet then yes, I agree that they shouldn’t give that up anymore than other publications of confidential information (and this probably includes proprietary – scrap that, it does because proprietary info can lead to other problems, if leaked). As for the scripts, I also see no problem revealing the names of. If they were to reveal the script of James Bond – did I just do that ?! – then yes, I see the problem. But the title will be public at some point anyway so… either don’t finish it or do (which is the only way they would, especially with that specific franchise).

    “The emails sent between Sony Pictures’ executives, and their opinion on Hollywood egos, might be juicy fodder for the tabloids – but it doesn’t make us as readers better people to have it shared with us.”
    Yes but IFF it was made public by those compromising them. On the other hand, what’s done is done and unless it was sent to (some news outlet directly, i.e. not published on some website like pastebin), then I see no issue: even if no one reads it, if it is public, it is probable that web spiders WILL. This is a fine line that is hard to see which side you’re on.

    “The real story about the Sony Pictures hack that we should be reading is that the company’s security processes failed massively. And that should be a warning for all organisations not to smirk at Sony’s discomfort, but instead to ensure that their own systems are properly protected – because who knows if your firm will be the next in the hackers’ firing line?”

    Yes, there’s that old song… “Don’t you laugh when a hearse goes by…for you may be the next to die” (I’m not sure if the title is the first part there but I think that is the case, I just am continuing that verse/whatever). Besides, there is no wrong time (except not done) to make sure your practises (policies, backup plans or more specifically disaster recovery) are in order. You can always improve even if it is indirectly (new technology). Don’t make the mistake of laughing at others when you can also improve. By all means write about it, study it, help them, but make it productive rather than just criticism!

  • I find it alarming the way the media feel totally justified in publishing whatever it find. I feel it’s very hypocritical as so-called tech pundits expose details ‘in the public interest’ since I’m fairly sure they wouldn’t want their personal correspondence, finances opinions plastered everywhere.

    I’m fairly certain that I would have to be dumb to leave my front door open as I leave the house to go on holiday. If I did such a thing, I could hardly be surprised if my TV is still there. But would it be legal for someone who had received that TV to then sell it on to someone else? Surely, if I could prove that it is mine, I could prosecute?

    I’m growing increasingly disdainful of the media and its so-called morals.

    Anyway, I’m no fan of Sony, but I do wonder how it can possibly survive this?

  • Receiving stolen goods is a felony, start locking up the boards of directors of the loser media and the retardation would end instantly.

  • News is usually something someone would rather not get out, so that interests people who want to know more, and someone else fills that inquisitiveness by providing a publishing service at a profit.

    The story here is Sony wished to run a derogatory film about an evil and very real dictator, with the very worthy aim of reducing their power, but failed to anticipate, plan, or cost for the expected reprisal.

    This was a tragedy not just for Sony but for the rest of the world concerned about North Korea. Doing what they are doing now hands that regime an easy victory, which will chill further attempts.

    So now the sooner Sony get off this tack, and back on the reason why they created this film (which I will certainly watch) the better for everyone.

    • “… Sony wished to run a derogatory film about a … very real dictator, with the very worthy aim of reducing their power”.

      You are very naive if this is what you believe. There is only one reason that Sony (or any other studio) produces a film, and that is because they hope it will make lots of money.

  • Seems to me,the media is in possession of stolen property. If someone stole my property and sold it to an unwitting pawn shop. Now that shop is in possession of stolen propery and has no right to said property after ,or knowing it is stolen. They have an obligation to return said stolen property unused. At the very least,they should have notified the authorities about receiving this stolen propery,to see if any leads could be obtained as to who transmitted this property.

    Withh that said, this incident only shows the moral depravity of the media at large. It shows how low they have sunk. They are now AFTERALL,no better than tabluod journalist,and worse. I have no respect for today’s news organizations what so ever,and am not surprised that they would feast on their own kind.

  • Has there been any update as to how their security was breached? With such a wide variety of information, from email to full films I wonder if this were an inside job?

  • The media does not only have the right to publish but they have the plight to publish. What is next? Is a newspaper not allowed to publish when a stolen thumb drive shows up with child abuse? Didn’t we enjoyed the Wikileaks cables? Sony would have a point when the information was only in the hands of a single source.

    Besides we are obviously dealing with an incompetent management team, with top people making wrong jokes about people of colour and people who show lack of judgement in other sensitive cases. So keep on publishing if not the outlets based outside the US will do so anyhow. No European judge that is going to honour Sony’s demands. Sony should realise that when you get a shave, you sit still, you do not move or make a sound unless you want to get hurt of course.

  • Every week we the contents of individuals’ private correspondence used by the media to embaress them or in some cases end their careers. No one seems to say ‘we must ignore that now that we know it, because it was not meant to be published’. Instead, everyone gathers round, points the finger and says ‘so that proves that reallly he’s racist, she’s homophobic, he’s corrupt, she’s not fit to hold that position’.

    Personally I think private comments should stay private, but since that really is not the way the world works (and never has as far as I know), then I wouldn’t apply a different set of rules to Sony. And to be clear, I don’t see any difference between a ‘leaked’ email and a ‘stolen’ email.

    Sony have another problem too. They lost a tremendous amount of goodwill with the Sony BMG rootkit fiasco, and sueing George Hotz for jailbreaking his playstation.

    Rightly or wrongly, I think there’s a lot of people in the tech industry who like the idea of Sony being on the recieving end of some heavy-handed technological retaliation; whats’ source for the goose…

  • See https://firstlook.org/theintercept/2014/12/15/news-agencies-completely-within-rights-report-leaked-sony-data/

    The 2001 Supreme Court case Bartnicki v. Vopper found that: “A broadcaster cannot be held civilly liable for publishing documents or tapes illegally procured by a third-party.” Perhaps Sony’s lawyers should look it up.