Sony Pictures claims the attack on its internal systems was "unprecedented", but digging into the gigabytes of internal company files shows the studio was aware of gaping security holes in its network months before the attack.
An email unearthed by Re/code shows Sony Pictures general counsel Leah Weil speaking with representatives from PricewaterhouseCoopers conducting a security audit of the company's computer systems. In the exchange, the auditors said they discovered an unmonitored firewall and more than a hundred other devices that were not under the supervision of Sony's corporate security team in charge of monitoring infrastructure.
"Security incidents raising these network or infrastructure devices may not be detected or resolved timely," said the PricewaterhouseCoopers auditors.
The two-week audit, which was conducted from mid-July to the beginning of August, found that Sony had failed to notify its security team of new devices after transferring from a third-party provider and providing a team with the current inventory at the end of July.
The email also shows there was a difference between the list of devices that the security team was supposed to monitor and the list of devices it was actually monitoring. The result, PricewaterhouseCoopers said, was that Sony might have omitted certain network devices, including "critical security devices" that may not be monitored.
Sony replied to the report, which was dated Sept. 25, saying it did not apply "the same level of rigor" to devices such as routers and web servers because it was setting its sights on perimeter devices.
The report comes as Sony battles it out for survival after a devastating cyberattack for which a group named Guardians of Peace (GOP) and linked to North Korea crippled Sony Pictures' entire computer system and stole massive amounts of sensitive company information that is slowly being leaked by the hackers through file-sharing websites.
The latest in the damaging chain of strikes against Sony after the Nov. 24 cyberattack involves Sony Pictures partners cancelling shootings indefinitely because Sony is reportedly unable to process payments, as per a source cited by the Times of London, because the intrusion wreaked havoc on Sony's payments processing system.
The leaked emails also show a series of embarrassing exchanges among top-ranking Sony executives insulting everyone from President Barack Obama to Angelina Jolie, whom movie producer Scott Rudin, known for his Academy Award-winning "No Country for Old Men," called a "minimally talented spoilt brat" with a "rampaging ego."
In one exchange with Sony co-chairperson Amy Pascal, Rudin made a racist jab at the President when she asked Rudin if she should ask the President if he liked Django, referring to "Django Unchained" by Quentin Tarantino.
"12 years," answered Rudin, before the two went on a back-and-forth referencing movies starring African-American actors such as "The Butler," "Think Like a Man" and "Ride Along" that the President might like.
"I bet he likes Kevin Hart," said Rudin.
In one of the emails, Sony CEO Michael Lynton called Hart a "whore" after he asked to receive compensation for promotional tweets. Both Pascal and Rudin have apologized for the exchange, with Pascal saying that the content of her emails were "insensitive and inappropriate" and "although this was a private communication that was stolen, I accept full responsibility for what I wrote and apologize to everyone who was offended."
But, in all probability, it will take more than an apology from Pascal to turn her and her company's fortunes around. Beyond the embarrassing emails, the hackers have leaked all sorts of company documents, including four unreleased films and private information concerning Sony Pictures' employees. Initially, the documents contained the Social Security numbers and private home addresses of thousands of employees. But as if that was bad enough, the subsequent links also included identifiable health information on dozens of employees and their family members.
"This is a thousand times worse that that other stuff," says Deborah Peel, director of non-profit group Patient Privacy Rights. "Health information is the most sensitive information about you. This stuff will haunt all those people the rest of their lives. Once it's up on the Internet it is up in perpetuity."
A memo signed by a human resources executive discussed the details of one employee's appeal to an insurance company, which denied claims for the diagnosis and treatment of the employee's child with special needs. Another document was a spreadsheet disclosing the details on 34 Sony employees and their families who had very high medical bills, with conditions ranging from premature birth to cancer and liver cirrhosis.
Sony has hired FireEye security firm's Mandiant unit to clean up after the attack. The Federal Bureau of Investigation (FBI) has already stepped in to probe who is beyond the intrusion. Although the agency has yet to reveal its suspects, reports citing people familiar with the investigation claim investigators are pointing to the Pyongyang administration as the mastermind.
Earlier this year, representatives from North Korea have repeatedly slammed "The Interview," an upcoming comedy film about a CIA-backed plot to assassinate North Korean leader Kim Jong-Un. While North Korea has denied involvement in the attack, a spokesperson for the government said it was pleased that the country's "supporters and sympathizers" are coming out to aid in its war against "U.S. imperialism."
Sony has denied the hackers' demands to pull out "The Interview" before it debuts in American theaters on Christmas Day. Nonetheless, U.S. authorities speaking to Reuters say the company is worried that it might face more cyberattacks after the movie is released.
"They are spooked," one official familiar with the matter says.