Sony: North Korea ate our Q3 homework

Sony announced Friday that it will miss the deadline for posting its third-quarter earnings report, blaming the hack that wreaked havoc on its movie division last year.

According to a filing with Japanese regulatory authorities, the company said it needs more time to repair its ailing IT infrastructure, which has remained offline since November in the wake of a massive leak of confidential information.

Citing “the amount of destruction and disruption that occurred, and the care necessary to avoid further damage by prematurely restarting functions,” Sony said they expect parts of the Los Angeles movie studio’s intranet to remain offline until sometime in February, preventing accountants from offering final numbers.

In the same document, strangely, Sony concludes with the following claim: “While Sony continues to evaluate the impact of the cyberattack on its financial results, it currently believes that such impact is not material.”

Wait, seriously?

Sony Pictures Entertainment, without question, suffered the most devastating cyberattack in history. Week after excruciating week, Sony stood helpless as attackers unleashed terabytes of stolen information. This included social security numbers, sensitive emails, passwords, executive salaries, home addresses, passport scans, unfinished movie scripts, and complete, unreleased feature films.

(U.S. authorities have concluded that the cyberattacks were executed by North Korea to force the cancellation of “The Interview,” despite a chorus of independent analysis casting doubt on this assertion.)

In an ill-advised concession to hackers’ demands, whoever they may be, Sony messily canceled the theatrical release of “The Interview,” losing perhaps $200 million in potential revenue, according to Bloomberg.

This is same Sony (albeit another division) that was part of a lawsuit calculating $675,000 in damages because one college student pirated thirty songs. The defendant’s guilt notwithstanding, that’s a substantial calculation of lost income.

But piracy isn’t the only thing that eats potential income. What about shelling out years of identity theft monitoring for thousands of current and former employees? Or the swell of multimillion-dollar class-action lawsuits?

Here’s an excerpt from one:

“Cybercriminals were able to perpetrate a breach of this depth and scope because SPE failed to maintain reasonable and adequate security measures to protect the employees’ information from access and disclosure,” read the suit in part. “Sony has statutory obligations to protect its employees’ employment and personnel records from unauthorized access, yet failed at numerous opportunities to prevent, detect, end, or limit the scope [of] the breach.”

How does Sony intend to defend itself when its own internal (and, ironically, leaked) IT assessments noted that “information security concerns on a desktop are often left to a desktop technician/engineer to identify and resolve with no clear guidelines of responsibility”?

How does Sony intend to defend itself when it stored thousands of personal and corporate passwords in unencrypted plaintext on company-wide file-shares?

Above: The fourth file is titled “SSL Certs On Windows Servers.xlsx.” Ouch.

Image Credit: Gawker

To reiterate: on the heels of the largest corporate hack in history, in which terabytes of critical and private information were released to the public, Sony expects the impact to be negligible.

Whether that impact is more or less negligible than Sony’s other major leak, which contained the payment information of 77 million users and resulted in a $15 million payout, remains to be seen.