The Sony releases a data breach notification letter as the ramifactions of the hack continues to wreak havoc
December 17, 2014 |
If ever there was an argument for proper cyber security both at the firewall and within it is the cyber attack on Sony and the theft of up to 10 tera bytes of data. Sony issued a breach notification letter on 8 December 2014 which relevantly provides:
Sony Pictures Entertaimnent (“SPE”) is writing to provide you with a summary of SPE’s prior communications regarding the significant system disruption SPE experienced on Monday, November 24,2014, as well as to provide you with additional detail.
As you know, SPE has determined that the cause of the disruption was a brazen cyber attack. After identifying the disruption, SPE took prompt action to contain the cyb.er attack, engaged recognized security consultants and contacted law enforcement.
SPE learned on December·1,201 (that the security of personally identifiable information that SPE received about you and/or your dependents during the course of your employment may have been compromised as a result of such brazen cyberattack. Although SPEis in the process of investigating the scope of the cyber attack, SPE believes that the following types of personally identifiable information that you·provided to SPE may have been obtained by unauthorized individuals: (i) name, (ii) address, (iii) social security number, driver’s license number, passport number, and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi )user name and passwords, (vii) compensation and (viii) other employment related information. In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, social security number, claims appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home·address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPEhealth plans.
As SPE previously notified you, SPE has made arrangements with a third-party service provider, AllClearID,to offer all employees and dependents twelve (12) months of identity protection services at no charge. As a reminder, to obtain credit monitoring and identity theft insurance, you will need to enrol. On Wednesday, December 3, 2014, you received an email from SonyPictures@AllClearID.com. This email contained your unique, non transferable activation code for enrolling in the All Clear identity theft protection services. In addition, since December 3, 2014, you have had access to identity repair assistance. AllClear ID’s multi-language call center is available to respond to your questions and assist you Monday-Saturday, from 8 am to 8 pm CST. You may also email AllClear ID’s support center at support@allclearid.com.
For your security SPE encourages you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Neither SPE nor anyone acting on its behalf will contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident SPE is not the entity asking. To protect against possible identity theft or other financial loss, SPE encourages you to remain vigilant, review your account statements, monitor your credit reports and change your passwords…
The ramifications are becoming catastrophic. Data breach today provides a very useful summary in Sony’s Breach Notification: The Details which provides:
The company has also been hit with a class action lawsuit by former employees for failing to protect their private information.
In the letter, Sony Pictures confirmed that personally identifiable information, including healthcare data, for employees and their dependents may have been compromised as a result of a “brazen cyber-attack.”
The official notification follows the widely reported leaks of not just high-quality digital versions of unreleased movies, including a remake of “Annie” and the Brad Pitt World War II drama “Fury,” but also sensitive internal documents listing all employees’ salaries, among other details.
Information Exposed
Information that may have been taken by the hackers, according to Sony’s notification letter, includes names, addresses, Social Security numbers, driver’s license numbers, passport numbers and/or other government identifiers, bank account information, credit card information for corporate travel and expenses, usernames and passwords, compensation and other employment-related information.
In addition, the hackers may have obtained HIPAA protected health information, including health insurance claims appeals information submitted to Sony. That information includes diagnosis and disability code; date of birth; home address; member ID number to the extent that an employee and their dependents participated in Sony’s health plans; and health/medical information provided to Sony outside of the company’s health plans.
Affected employees are being offered free identity protection services for one year through AllClear ID. “To protect against possible identity theft or other financial loss, [Sony] encourages you to remain vigilant, review your account statements, monitor your credit reports and change your passwords,” the company says in its notification letter.
Sony tells its employees in the letter that after the attack, it took prompt action to contain the data breach, engaged security consultants and contacted law enforcement.
Earlier news reports indicated that the health information was taken from various spreadsheets and e-mails. One leaked document, for instance, listed the most expensive medical procedures undertaken by the company’s employees in 2012, according to pop culture news site Fusion. A report by the Japan Times says an e-mail was leaked between Sony’s insurer, Aetna Inc., and its human resources department over a denied claim that contains the name of an employee and the type of surgery the worker’s spouse had.
Sony Pictures has also updated the homepage of its website to notify its employees about the compromise of personal details, including health information.
The company did not immediately respond to a request for comment.
‘Valueless Gesture’
Sony Pictures’ cyber-attack is unprecedented, says Neal O’Farrell, executive director at the Identity Theft Council, “not only in the apparent motivation, but the amount and type of information the thieves got their hands on.”
The fact that impacted individuals are only being offered free identity protection for a year is a “hollow and largely valueless gesture in this case,” O’Farrell contends. “The thieves have so much information [that] many of these employees could be dealing with the aftermath for years – long after Sony has moved on from it. A lifetime of free protection and support would be a minimum, and even that might not be enough.”
Class Action Lawsuit
Sony Pictures is also facing its first class action lawsuit by former and current employees who are blaming the company for failing to protect their private information.
Keller Rohrback, a Seattle-based law firm, filed the lawsuit on Dec. 15 in federal district court in Los Angeles on behalf of several former employees of Sony. The complaint alleges that Sony was negligent and violated various states’ consumer and data protection laws, according to the law firm. In addition, the former employees allege that Sony failed to secure weaknesses that had been known for years, in turn exposing their private information to hackers.
The employees are asking the court to order Sony to pay for enhanced credit monitoring services, identity theft insurance and credit restoration services, among other requests for relief.
“Given the repeated data breaches suffered by Sony, as well as recent significant data breach events in the retailer context, Sony knew or should have known that such a security breach was likely and taken adequate precautions to protect its current and former employees’ [personal information],” the complaint says.
Breach Recap
On Nov. 24, Sony Pictures Entertainment was hit with destructive “wiper” malware identified as “Destover,” which is also known as “Wipall.” The malware reportedly infected and erased hard drives at the movie studio (see: Sony Hack: ‘Destover’ Malware Identified). Following the attack, a group called Guardians of Peace claimed credit.
The Federal Bureau of Investigation confirmed Dec. 1 that it’s assisting in the Sony breach investigation. “The FBI is working with our interagency partners to investigate the recently reported cyber-intrusion at Sony Pictures Entertainment,” the FBI said in a statement provided to Variety. “The targeting of public and private sector computer networks remains a significant threat, and the FBI will continue to identify, pursue and defeat individuals and groups who pose a threat in cyberspace.”
Three weeks following the attack, Sony hired a prominent U.S. attorney to threaten to sue media outlets that reproduce the leaked information, and to demand that they delete all leaked e-mails, contracts and other information.
There will be many lessons for cyber security experts from the breach and the ongoing leakage of stolen material. Similarly there are already many lessons to be learnt by privacy practitioners. For both groups a key issue is the extent to which data was segmented within the organisation and the level of encryption of data. It is unrealistic to assume breach won’t occur. The issue is then the extent to which breaches can be detected and contained. The other issue is the extent to which the reputational damage can be minimised. In an industry of towering egos and significant investment in IP the loss of movies and publication of frank email exchanges is trashing Sony’s relationship with its producers and actors. As the breach notifcation letter makes clear empmloyee details were also purloined which results in loss of sensitive information in the form of health records. This is reported in in Sony’s Hacking Nightmare Gets Worse: Employees Medical Records Revealed. Sony’s strategy, developing has been to reassure staff, as reported in Sony Pictures CEO at Town Hall Meeting: ‘This Will Not Take Us Down’ and apologise to those whose names were taken in vain in emails, as reported in Sony Hack: Amy Pascal Apologizes to Harvey Weinstein, Lining Up Studio Supporters.
The Sony Harcking Nightmare article provides:
Documents stolen from Sony Corp. (6758) by hackers include detailed and identifiable health information on more than three dozen employees, their children or spouses — a sign of how much information employers have on their workers and how easily it can become public.
One memo by a human resources executive, addressed to the company’s benefits committee, disclosed details on an employee’s child with special needs, including the diagnosis and the type of treatment the child was receiving. The memo discussed the employee’s appeal of thousands of dollars in medical claims denied by the insurance company.
Another document leaked in the hack is a spreadsheet from a human resources folder on Sony’s servers that includes the birth dates, gender, health condition and medical costs for 34 Sony employees, their spouses and children who had very high medical bills. The conditions listed include premature births, cancer, kidney failure and alcoholic liver cirrhosis. The document doesn’t include employees’ names.
A Sony spokesperson didn’t respond to a request for comment.
The health documents are part of a devastating computer attack on the company’s Culver City, California-based unit Sony Pictures that sent thousands of files circling the Web between various file-sharing sites used by hackers. The information revealed has included the salaries of thousands of employees and e-mails taking shots at President Barack Obama and at Hollywood stars like Angelina Jolie. The release of the health information could be some of the most damaging material, said Deborah Peel, director of Patient Privacy Rights, a non-profit group.
Most Sensitive
“This stuff will haunt all those people the rest of their lives. Once it’s up on the Internet it is up in perpetuity,” Peel said.
“This is a thousand times worse than that other stuff,” she said, referring to salary information and personal e-mails. “Health information is the most sensitive information about you.”
Hackers who call themselves Guardians of Peace have been releasing batches of documents every few days since the breach garnered global headlines Nov. 25. Sony is conducting an internal probe that has linked the attack to hackers known as DarkSeoul, according to two people familiar with the company’s investigation. Media reports have tied the group to North Korea. Tokyo-based Sony hasn’t made that association publicly.
Denied Claims
One e-mail between Sony’s insurer, Aetna Inc., and its human resources department over a denied claim contains the name of an employee and the type of surgery the worker’s spouse had. Another between health insurer Anthem Inc. and Sony’s human resources department includes the name of an employee and an unresolved claim for speech therapy sessions.
In the memo discussing denied claims for the employee’s special-needs child, Sony’s human resources department went into great detail on the type of treatment the child was getting, how the child was faring, the location of the facility and conversations the insurer had with the child’s care providers. Peel said that level of detail shouldn’t have been shared, especially the child’s name, which isn’t relevant to making a determination about the claim.
“This is the absolute worst nightmare for this employee and their family,” said Peel. “Why they are doing this with the name and location and all the identifiable information is beyond me.”
Not Uncommon
Carol Olsby, who has worked in human resources at large technology companies, said it wasn’t uncommon at her former employers for workers’ names and medical conditions to be shared in e-mails or for the companies to have a file of the most expensive medical claims.
Employers would sometimes get a list of the costliest claims from an insurer to justify a rate increase, she said. For example, if a company had employees who’d developed costly chronic conditions, like a type of cancer or kidney failure, or had a premature baby, the insurer could argue that rates should rise.
Olsby, who now runs consulting firm Carol Olsby & Associates Inc., also said it wasn’t uncommon for employees to e-mail human resources with medical information related to a denied claim. In all cases, she said the companies would try to keep the information on a “need-to-know basis.”
As a result the employees have commenced class actions as reported in Sony Hit With Class Action Lawsuit by Ex-Employees.
The hack has resulted in a mass of knock on reports such as Sony Pictures Hackers Release Brad Pitt’s Phone Number, What the Sony Hack Reveals About the Movie Business, Sony executive Amy Pascal apologizes for embarrassing e-mails that have leaked and
[…] The Sony releases a data breach notification letter as the ramifactions of the hack continues to wre… […]