When the hacker group Guardians of Peace (GOP) leaked the eighth cache of files on Sunday afternoon, they included a message to Sony Pictures Entertainment (SPE) staffers. “We have a plan to release emails and privacy of the Sony Pictures employees. If you don't want your privacy to be released, tell us your name and business title to take off your data.” The hackers claim to be preparing a “Christmas gift” of “larger quantities” and “more interesting” data that will “put Sony Pictures into the worst state.” If SPE doesn't meet the GOP’s demands, the data leaks will continue. The Pastebin post didn't specify what those demands are, but if the demands are not met, then the end game, according to GOP, is for Sony to “go bankrupt.”
Although Sony apparently doesn't intend to meet those demands, the company issued demands of its own…not to the hackers but to some media outlets. So far, The New York Times, Gawker, Variety, The Hollywood Reporter and Re/code have received a threatening letter from Sony’s attorney David Boies. It states, "SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading or making any use of the stolen information."
Note Sony’s reference to the leaks as being part of “an on-going campaign explicitly seeking to prevent SPE from distributing a motion picture.” That film apparently is The Interview, a comedy about assassinating North Korean leader Kim Jong-Un. Sony moved the movie’s release date from October to Christmas day. There have been many reports in the news that the film is behind the massive cyberattack on Sony.
Sony’s letter to media outlets goes on to state that if a publication suspects it has any of Sony’s “Stolen Information” in its possession, then notify Sony and stop anyone from “examining, disseminating, distributing, publishing downloading, uploading, or making any other use of the Stolen Information.” Sony also expects publications to destroy all copies of the information and confirm the deletion was completed.
If the media outlet does not comply with Sony’s demands to delete its data leaked by hackers, then Sony “will have no choice but to hold you responsible for any damage or loss arising from such use or dissemination by you.”
Can Sony sue media outlets publishing details of the hack? “Probably not,” according to University of California law professor Eugene Volokh. Although it is not an open and shut matter, Volokh said that so long as media outlets are not stealing Sony’s data themselves, then publications reporting on the stolen data generally are protected by the First Amendment.
Although the horrifying scope of the Sony hack had many people feeling pity for Sony, that might melt away when the company, which is choosing not to give in to threats, then chooses to threaten the media. The companies hacked and raked over the coals by LulzSec surely didn't want their internal corporate data dumped into the public for viewing either. They weren’t foolish enough to threaten legal action for reporting on the leaked info.
Not everyone agrees that leaked data is fair game for reporting. In an Op-Ed for the New York Times, screenwriter and producer Aaron Sorkin said media outlets that report on Sony’s stolen data are “morally treasonous and spectacularly dishonorable.” He added, “As demented and criminal as it is, at least the hackers are doing it for a cause. The press is doing it for a nickel.”
If the hack really is all about trying to stop Sony from releasing The Interview, then isn't the company going ahead with movie so it can make a “nickel” too? Or is it because it has First Amendment rights, the same as a news organizations do?
In Sony’s case, Joseph Demarest, the FBI’s cyber-division assistant director, said “the malware that was used would have slipped or probably gotten past 90% of Net defenses that are out there today in private industry and [likely] challenged even state government.” The cybersecurity firm Mandiant called the hack an “unparalleled and well-planned crime.”
Sure, being the victim of the worst cyberattack the public has ever witnessed is embarrassing for Sony; maybe the malware could have gotten past the defenses of a company with great security practices, but SPE had very lax security.
Sony allegedly kept silent about when it was breached in February and chose not to warn the people whose sensitive data was stolen. It kept a file called password that contained all manner of social media and web account passwords. A leaked IT audit even showed that the company was well aware of its poor security practices. In fact, after the latest leak, Gawker reported that a spreadsheet listing all Sony online properties “shows just how little Sony cared about the privacy of its customers and employees: millions of private records were stored without any encryption.”