http://fusion.net/story/31469/sony-pictures-hack-was-a-long-time-coming-say-former-employees/
“Sony’s ‘information security’ team is a complete joke,” one former employee tells us. “We’d report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network’s website and was collecting personally identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network (and our file server) in a cafe.”
The information security team is a relatively tiny one. On a company roster in the leaked files that lists nearly 7,000 employees at Sony Pictures Entertainment, there are just 11 people assigned to a top-heavy information security team. Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president.
Another former employee says the company did risk assessments to identify vulnerabilities but then failed to act on advice that came out of them. “The real problem lies in the fact that there was no real investment in or real understanding of what information security is,” said the former employee. One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected.
...
Sony Pictures has said little about its security failures since the hack, but seven years ago, its information security director was very chatty about “good-enough security.” Back in 2007, Jason Spaltro, then the executive director of information security at Sony Pictures Entertainment, was shockingly cavalier about security
in an interview with CIO Magazine. He said it was a “valid business decision to accept the risk” of a security breach, and that he wouldn’t invest $10 million to avoid a possible $1 million loss. He seemed not to consider the costs of a breach that are harder to immediately calculate, such as the blow to a company’s reputation, the loss of trust among employees, or the possibility that James Franco might be upset that the world now knows he gets paid $6,000 to drive himself to movie sets. The current debacle is Sony’s second major headline-making breach; in 2011,
hackers got access to data for millions of Playstation users.
Spaltro told the magazine a little tale: The year before, in 2006, an auditor told him that Sony’s employees were using terrible passwords — nouns rather than random combinations of letters, numbers and symbols. Spaltro bragged that he convinced the auditor that it wasn’t a big deal. He’d said he’d rather have employees using terrible passwords than their writing them down on Post-it notes attached to their screens. Sure, valid point, but ideally the head of infosec could offer up a better solution than, “Let them keep using their terrible passwords.”
Seven years later, Spaltro is still overseeing data security. Now senior vice president of information security, his salary is over $300,000 this year according to one of the leaked salary documents — and will get bumped over $400,000 if he gets his bonus. It’s unclear if a massive hack and complete failure of security is a bonus-breaker.
