Sony Didn’t Tell Employees about a February Hack


It is unclear if a newly-revealed cyber breach is connected to the gargantuan assault underway at Sony Pictures, but the hackers snatched similarly sensitive records.

Nearly a year ago, attackers grabbed Brazilian Sony files by breaking into "SpiritWORLD," a corporate network the company uses to transfer data around the world. It handles media distribution in 23 territories, in addition to managing prints, booking, grosses & billings.

The data SpiritWORLD deals with is “exactly the kind of data found in the first few rounds of leaks” from hackers calling themselves Guardians of Peace earlier this month—a labyrinth of folders containing financial documents, grosses, media reports, etc., Gawker reports. “If GOP was behind the February hack, it would explain the strangely large number of documents in its data dumps that pertained to Sony's Brazilian markets or were written in Portuguese, possibly indicating Brazil as the origin.”

In a Feb. 12 email, VP of legal compliance Courtney Schaberg tells colleagues that user account credentials for a Sony Pictures “system may have been obtained by an unauthorized party, who then may have uploaded malware."

Apparently, the names, physical addresses and email addresses of about 760 individuals associated with cinemas in Brazil were taken. “The information was contained in .txt versions of invoices for the theaters,” she wrote.  

Since Brazil has no data breach notification laws, Schaberg advised not telling employees about the compromise.

“I recommend against providing any notification to individuals given a) the lack of a notification requirement; b) the limited data fields involved; and c) the fact that notifying would not likely have much effect in terms of mitigating potential damages,” she wrote.