12/10/2014

Internal Memo: Sony Could Not Have Prepared For Unprecedented Hack | TIME

TE CH SEC UR IT Y

Internal Memo: Sony Could Not Have

Prepared For Unprecedented Hack
Sam Frizell @Sam_Frizell

Dec. 8, 2014

Theattackwas"unprecedentedin
nature,"accordingtoaninternalnoteat
Sony
Sony Pictures Entertainment could not
have been fully prepared for a massive
hack that hit the company last month, the
head of a cybersecurity firm hired by Sony
said in an internal memo published
Monday.
In an internal email obtained by Re/code,
Sony CEO Michael Lynton shared a note
with employees from Kevin Mandia, head
of security firm Mandiant, that called the
Sony hack an unparalleled crime
carried out by an organized group. Sony
has contracted with Mandiant to
investigate and clean up the breach.

A logo of Japan's Sony Corporation is

displayed at its headquarters in Tokyo on
May 14, 2014.
Kazuhiro NogiAFP/Getty Images

The malware was undetectable by industry standard antivirus software and was
damaging and unique enough to cause the FBI to release a flash alert to warn other
organizations of this critical threat, said Mandia in the note to Lynton. It went on to say
that neither SPE nor other companies could have been fully prepared for the attack,
which leaked employees salaries, social security numbers and other data, as well as
unreleased films.
The Mandiant letter may aim to vindicate Sony from responsibility for the hack after the
company was accused of showing a cavalier attitude toward cybersecurity. Only 11 people
were assigned to Sonys security team, Fusion reported last week, while Sony Pictures
executive director of information security Jason Spaltro told CIO Magazine in 2007 that
it may be a valid business decision to accept the risk of a security breach.
Heres the full note from Re/code:

Over the last week, some of you have asked about the strength of our
information security systems and how this attack could have happened. There
is much we cannot say about our security protocols for obvious reasons, but we
wanted to share with you a note we received today from Kevin Mandia, the
founder of the expert cybersecurity firm that is investigating the cyber-attack
on us. The investigation is ongoing, but Mr. Mandias note is helpful in
understanding the nature of what we are dealing with. Full text below.
We also want to thank you once again for your resilience and resourcefulness
in carrying out our critical day-to-day activities under incredibly stressful
circumstances. As a result of your efforts, we have made great progress moving
our business forward, and we will continue to do so.

http://time.com/3623456/sony-hack-unprecedented/

1/2

12/10/2014

Internal Memo: Sony Could Not Have Prepared For Unprecedented Hack | TIME

Dear Michael,
As our team continues to aid Sony Pictures response to the recent cyber-attack
against your employees and operations, I wanted to take a moment to provide
you with some initial thoughts on the situation.
This attack is unprecedented in nature. The malware was undetectable by
industry standard antivirus software and was damaging and unique enough to
cause the FBI to release a flash alert to warn other organizations of this critical
threat.
In fact, the scope of this attack differs from any we have responded to in the
past, as its purpose was to both destroy property and release confidential
information to the public. The bottom line is that this was an unparalleled and
well planned crime, carried out by an organized group, for which neither SPE
nor other companies could have been fully prepared.
We are aggressively responding to this incident and we will continue to
coordinate closely with your staff as new facts emerge from our investigation.
Sincerely,
Kevin Mandia
2014TimeInc.Allrightsreserved.

http://time.com/3623456/sony-hack-unprecedented/

2/2