Fallout from a sobering data breach impacting Sony Pictures Entertainment will undoubtedly take months, even years, to fully assess, but security experts have already begun taking inventory of data exposed in the attack, along with its potential costs to the media giant.
On Thursday, New York-based Identity Finder, a sensitive data management solution provider, shared new insight on the extent of the hack, and resulting data leak. After using its software to crawl more than 33 gigabytes of data leaked by hackers, the company came to the conclusion that more than 47,000 unique Social Security numbers were exposed as a result of the hack.
Todd Feinman, Identity Finder's CEO, said in a blog post, that the automated search turned up over 1.1 million Social Security numbers, but that many of them were copied repeatedly throughout leaked files. And, in an Friday follow up interview with SCMagazine.com, Feinman explained that there “very few numbers that weren't repeated, and that [SSNs] were often put in places where you wouldn't need a Social Security number.”
Among the 47,000 plus SSNs allegedly exposed, more than 15,000 appeared to belong to current and former Sony employees, he revealed. The rest belonged to an array of individuals who held some business ties with the company, including Hollywood actors (Sylvester Stallone was reportedly among those impacted), Screen Actors Guild members, directors, writers and even makeup artists, Feinman said.
Add this to other company information believed to have been stolen and posted online, such as employee birth dates, medical information, login credentials and sensitive human resources data (like salaries and information on terminations) – and an extensive collection of data emerges as a target for fraudsters or others with ill intentions. In the breach, several Sony films, both released and yet to hit theaters, were also leaked online.
Currently, the FBI has confirmed that is investigating the hacking incident at Sony Pictures, which hired security firm Mandiant to probe into the matter after its network was taken down last week. Word from Sony confirming the incident's impact, however, has yet to emerge.
Feinman said that a major lesson to be learned from the Sony Pictures leak, is that investment in intrusion prevention software, anti-virus, anti-malware, and other technologies with similar aims, is great – but that such steps won't necessarily minimize damages should an attacker infiltrate an organization.
“I think we should see an emphasis on, not only trying to protect [hackers] from getting in, but on how to protect data when attackers do,” Feinman said.
After uncovering tens of thousands of stolen Social Security numbers, Feinman said that he expects costs arising from the Sony breach to be steeper than the impact of Sony's 2011 PlayStation Network hack. In July, Sony agreed to a $15 million preliminary settlement related to the PSN breach.
“They are at risk of identity theft, not for one year, but really they are going to need lifetime identity theft monitoring,” Feinman said of individuals impacted by SSN leaks.
In a Friday interview with SCMagazine.com, Gerry Stegmaier, an attorney at law firm Goodwin Procter (with expertise in data security and privacy cases) also weighed in on the potential legal implications of the Sony Pictures incident.
He believes that the costliest claims to materialize from a breach of its scope would be "shareholder related litigation alleging deficiency of internal controls and breach of fiduciary duty.”
Shareholder derivative suits were filed against the company boards of both Target and Wyndham Worldwide Corp. following their major breaches, he explained. In such suits, shareholders seek compensation for costs related to an organization's failure to ensure that reasonable security steps are taken to protect customer data.
“Before Target and Wyndham, we knew those claims might come, but no one had filed them," Stegmaier said. "Once they start, they're not going to stop."