Sony hack: it's big, bad, and we need to know what happened

The hack on Sony Pictures Entertainment has already cemented itself as one of the world's largest-scale security breaches, and it's continuing to go from bad to worse by the day.

Since reports surfaced two weeks ago about what appeared to be a denial of service attack against SPE, the targeted attack on the company's systems has turned into what is potentially one of the largest data breaches ever.

North Korea has been fingered for the attack but is officially denying involvement.

The theory is that hackers associated with the communist dictatorship were retaliating against a Sony-produced comedy, The Interview, which depicts the country's supreme leader Kim Jong-Un being assassinated.

The security firm hired to clean up after the attack has called the hack "unparalleled" and "well-organised".

But while the scale of the calamity certainly lends itself to that perception, the data leaked to the internet from the hack suggests the hackers may have had a very easy time of it.

The size of the leak is vast: well over a 100 terabytes of data. It includes sensitive corporate and personal information, and importantly, passwords and other items like private encryption keys that point to negligent sysadmin practices at SPE.

Snagging such a large amount of data was impressive, according to a security researcher who asked not to be named, but the fact that it "went unnoticed is probably an indication of the sheer volume of bits the servers and network(s) it was transported through normally carry."

It also indicates that the hackers themselves didn't need complex tools to breach the networks.

"The rest is just down to the usual sloppy system admin that passes for current industry/best practice, and realistically probably just indicates how much more massive the as-yet-not-noticed (or, at least, reported) other ongoing hacks are," the researcher said.

"That pretty much anyone on your typical corporate network can still run pretty much any executable or interpretable code is gross stupidity, and therefore, that it is so common, is gross negligence."

Harsh, but SPE is far from alone in the mega-leak stakes.

As for the destructive malware that crippled the Sony networks - referred to as "undetectable" by the US FBI - my researcher friend suggested the law enforcement agency might be confusing that term with "previously undetectable".

Technical fellow at anti-virus vendor ESET Peter Kosinar agreed the malware wasn't undetectable, but more likely not spotted by SPE's security measures at the time - which is quite a different matter.

What's important now is that SPE does not sweep what happened under the carpet. The seriousness of the attack - and we're yet to learn the full effect of it - means SPE must be made to disclose the details around the hack, no matter how much it hurts corporate pride.

Details are likely to come out during the court action that will inevitably follow. Retail chain Target, which found itself with malware on its point of sales terminals that purloined millions of customers' credit and banking card information, is currently being sued for that massive security breach, with banks joining in on the legal fray [pdf].

Sony Pictures Entertainment could redeem itself considerably if it proactively disclosed what happened, prior to any legal action.

But the silence from the company so far suggests we should probably not hold our breath.

Time again to call for mandatory data breach disclosures, in other words. How many more megahacks do we need before that sinks in?