Sony Picture’s security team had few resources and a poor reputation among its employees, according to new reports about the company-wide hack that led to leaked movie budgets, salary information, social security numbers and unreleased films.
Unnamed sources with ties to the company told Fusion that Sony had a lax attitude towards security. “Sony’s ‘information security’ team is a complete joke,” one former employee said. “We’d report security violations to them and our repeated reports were ignored.”
Just 11 people are assigned to the information security team out of a company of 7,000 employees, according to leaked files discovered by Fusion. Only three people on the team are not managers or directors.
The executive director of information security at Sony Pictures, Jason Spaltro, told CIO Magazine in a 2007 interview that it may be “a valid business decision to accept the risk” of a security breach, depending on the cost of investing in security and the cost of a successful attack.
Sony is offering one year of free credit monitoring and fraud protection to current and former employees, the Wall Street Journal reports.
Many experts speculate the recent breach, which is now being investigated by the security firm FireEye as well as the FBI, was perpetrated by North Korea, though a Pyongyang diplomat recently denied his country was responsible.