When news initially broke that hackers had infiltrated Sony Pictures and stolen information, much of the discussion revolved around the five movies stolen and the effect of the leak at the box office. But as media delved further into the released files, it turns out the hack was a lot worse than originally anticipated—and signals a growing trend in state sponsored corporate espionage.
For starters, only 40GB of the alleged 100 terrabytes of data have been released so far, but the information that has been sifted through so far has been a veritable nightmare for Sony Pictures. Reporters from Buzzfeed sifted through the leaked material and found that the cleanup is going to be much more costly to Sony than a dent at the box office:
The data dump, which was reviewed extensively by BuzzFeed News, includes employee criminal background checks, salary negotiations, and doctors’ letters explaining the medical rationale for leaves of absence. There are spreadsheets containing the salaries of 6,800 global employees, along with Social Security numbers for 3,500 U.S. staff. And there is extensive documentation of the company’s operations, ranging from the script for an unreleased pilot written by Breaking Bad creator Vince Gilligan to the results of sales meetings with local TV executives.
Though the files are rife with embarrassing performance evaluations and executive compensation reports, internal memos that grumble about the “soul-less” nature of Sony’s movies, and complaints of more “mundane, formulaic Adam Sandler movies,” there’s likely more cause for alarm than the PR panic.
According to a post by Lynn Sessions and Nita Garg on Health Law Update, the information that may seem less salacious to the general public–employees’ medical history, for instance– could be the most valuable information for malicious hackers:
…the theft of medical information is far more lucrative to would-be criminals than credit card information. Health information (which includes such data as patient names, birthdates, policy numbers, diagnosis codes and billing information) can be sold on the black market for 10-20 times the value of a U.S. credit card number. Additionally, unlike credit cards, which may be quickly canceled once fraudulent activity is detected, it often takes months or years before patients or providers discover the theft of medical information.
But with the networked nature of the Internet, there’s been a growing prevalence of companies being hacked and their employees being doxxed. Perhaps the most surprising thing is the increase in the state-sponsored nature of these attacks. Earlier this year the U.S. government risked diplomatic relations when they charged five Chinese hackers with stealing information from U.S. corporations, the first time the U.S. has publicly accused employees of a foreign power with cybercrimes.
In an interview with LXBN TV following incident, Steptoe & Johnson’s Stewart Baker, formerly with the National Security Agency and Department of Homeland Security, said that when he asked a former FBI official about how many members of the Am Law 100—the top 100 American law firms—had been compromised by attacks from China’s People’s Liberation Army, he responded “about 100.” Law firms are frequently targeted by hackers because they are, frequently, seeking out the weakest link in any corporations’ data security measures. Law firms, who handle a multitude of corporate documents littered with trade secrets.
As, apparently, are U.S. energy companies. As Stuart Kaplow of Green Building Law Update writes, by targeting U.S. energy companies Chinese solar product manufacturers were able to take trade secrets and undercut those they stole them from:
While the mainstream media described the U.S. corporate victims as in the nuclear power and metals industries and a labor organization, scant attention has been paid to the fact that one of the businesses is a solar panel manufacturer.
The indictment made public this past Monday, alleges that Wen Xinyu, one of five named defendants, who is officer in Unit 61398 of the Third Department of the Chinese People’s Liberation Army, hacked the computers of U.S. subsidiaries of SolarWorld AG several times to glean its strategy in a trade dispute with China.
In 2012, at about the same time the Commerce Department found that Chinese solar product manufacturers had “dumped” products into U.S. markets at prices below fair value, Wen and at least one other, unidentified co-conspirator, stole thousands of files including information about SolarWorld’s cash flow, manufacturing metrics, production line information, costs, and privileged attorney-client communications relating to ongoing trade litigation, among other things. The information enabled Chinese competitors to target SolarWorld’s business operations aggressively from a variety of angles.
In response, SolarWorld AG CEO Frank Asbeck wrote an open letter (PDF) to President Obama—one that underscores how dangerously real-world these hacks quickly become—pleading for support as his company battles aggression from China.
I must tell you respectfully, President Obama, that illegal trade practices threaten to destroy any ongoing U.S. role in global solar-industry competition. China is improperly seizing control of an industry that the United States invented, pioneered and grew.
Beginning a few years ago, the Chinese government saw an opportunity not to join but to exploit and dominate this growing industry, as it has done with many other industries. Through state planning, billions of dollars of government subsidies and below-cost pricing, China built massive solar production capacity – enough to supply the world twice over – and drove down pricing to unsustainable levels. It harvested U.S. taxpayer-funded incentives, while keeping foreign competitors out of its own market.
This drive has hurt and bankrupted dozens of well-run U.S. solar manufacturers and cost the jobs of
thousands of U.S. employees. In late January, Sharp Solar became the latest to announce it would exit
the U.S. solar manufacturing industry.
China’s illegal practices have hurt solar investment, research and development and, throughout the solar industry’s supply chain, curtailed the innovation and bright futures of many businesses, their workers and numerous communities.
We don’t yet know if the Sony breach is an act of state-sponsored corporate espionage; not much is known about the group #GOP, which stands for Guardians of the Peace (so far no partisan connection has been discerned). Early speculations suggested that the North Korean government was responsible, allegedly a retaliation for Sony’s upcoming film “The Interview.” North Korea initially responded “wait and see,” but a diplomat announced Thursday morning that his country had nothing to do with it.
For now, we can only sit and watch this story–and the wealth of unfortunate secrets–unfold. The true scope of the breach probably won’t be known for a while. While there’s not much solace to be taken in the apparent lack of Sony’s security standards, it’s comforting to know that even studio officials can’t get on board with another Adam Sandler flick.