December 11, 2014
By David Shadovitz, HRE's The Leader Board
By now, I’m sure most of you are quite familiar with Sony’s data breach, which has occupied headlines over the past couple of weeks.
As you might expect, much of the attention surrounds the hacker’s decision to post some of Sony’s yet-to-be-released movies, including a remake of Annie and a new film titled The Interview — a comedy about two American journalists who are recruited to assassinate North Korea’s leader Kim Jong-un. A group named Guardians of the Peace have taken credit for the cyber attack, but some have speculated the North Korean government could be the real culprit here, since it’s none too pleased with The Interview’s storyline. (Others doubt this is the case, and North Korea has publicly denied its involvement.)
Tom Kellermann, chief cybersecurity officer at the private security firm Trend Micro, told the New York Times after the story broke that “unlike stealth attacks from China and Russia, Sony’s hackers not only aimed to steal data, but also to send a clear message. ‘This was like a home invasion where, after taking the family jewels, the hackers set the house ablaze,’ ” he said.
Though it certainly has been well covered in the mainstream press, just a tad less attention has been paid to the non-creative information liberated from Sony’s computers—employee Social Security numbers, healthcare records, salary information and performance reviews. Sure, Sony isn’t the first to experience such an HR data breach, but there’s little question the scope and nature of the information made public (which includes salaries of executives) make this breach especially noteworthy.
I can only imagine the kind of disruption this is likely causing at Sony—and the toll it’s taking on productivity. Not to mention the financial toll it’s going to have.
I also have to think more than a few CEOs, after reading the various stories appearing in the press, were once again wondering, “Could something like this occur here?”
Yesterday, I asked Gordon Rapkin, CEO of Archive Systems, an HR-document-management firm based in Fairfield, N.J., for his take on what happened at Sony.
“My impression is a chunk of the Sony HR breach has to do with people there who kept things on their computers that shouldn’t have been kept there,” he said. What the field, he adds, calls “shadow files.”
What’s more, Rapkin said, the fact that all this information was unprotected and unencrypted and seemed to be available in the same trove that was pilfered is pretty surprising. “Usually,” he said, “[the information] is carved up in different systems and kept in different files—with salary information in one place, benefit information in another, and employment and performance in a third. But here, it looks as though all of this was accessible in the same place. That’s surprising, especially when you consider HR information represents some of the more sensitive data a company possesses.”
Lisa Rowan, vice president of research at IDC in Framingham, Mass., agrees. “It seems odd for [these] to be stored together,” she said.
At a recent records-management conference he attended, Rapkin said his company surveyed attendees on how many felt HR followed their organization’s information-governance policies. One-third of those queried, he said, responded that HR didn’t follow those policies and procedures. Hardly a vote of confidence.
Perhaps Sony is the latest company to get hit, Rapkin explained, but, he added, “I think the problem may be fairly common.”