Running head: CASE STUDY OF SONY PICTURES HACKING CRISIS 1

Case Study of Sony Pictures Hacking Crisis

Megan Anderson

Messiah College

Crisis Communication

Anthony Eseke

April 5, 2017
CASE STUDY OF SONY PICTURES HACKING CRISIS 2

Case Study of Sony Pictures Hacking Crisis

Introduction

With our society relying more and more on technology, there comes new and even unknown

risks. Technology is not always safe and can be breached. Hackers can infiltrate online databases

and release confidential information to the public that can be both financially and reputationally

damaging to a company. In 2014, Sony Pictures Entertainment experienced one of the worst

cyber-attacks to date. Crisis managers can learn a lot from this case study including what to do

and what not to do during a cyber-attack crisis. This paper will highlight the importance of the

having a crisis plan in place.

History of Sony

In 1919 three men, Jack Cohn, Harry Cohn, and Joe Brandt, founded CBC Film Sales.

Shortly after, in 1921, Colombia Pictures Corporation bought CBC Film Sales. As film and

television became increasingly popular, Colombia Pictures experienced great success. For

example, in 1948 it was one of the first studios to work in television. The Coca-Cola Company

then bought Columbia Pictures Industries, Columbia Pictures parent company, in 1982.

Columbia Pictures continued to grow and merged with TriStar Pictures and forms Columbia

Pictures Entertainment in 1987. Coca-Cola then sold Columbia Pictures Entertainment in 1989 to

Sony Corporation. The company then changed the name to Sony Pictures Entertainment in 1991

and has continued to grow ever since (Company History, 2017).

Sony Pictures Entertainment is just one aspect of its parent company Sony Corporation.

Sony Corporation is a large and powerful company that has its hands in many different markets.

Sony has held the mission that it is a company that inspires and fulfills your curiosity ever

since its founding in 1946 ("Corporate Info," 2017). Sony Corporation was founded in Tokyo
CASE STUDY OF SONY PICTURES HACKING CRISIS 3

Japan by Masaru Ibuka. Ever since 1946, Sony Corporation has expanded in multiple ways,

including expanding to different countries and expanding to new products. In a study conducted

in 2008, it was found that only 23.2 percent of Sonys sales and operating revenue in the fiscal

year were originally recorded in Japan ("Sony Corporation Form 20 F," 2008, p. 10). This is

just one fact the highlights how Sony Corporation has been expanding. The expansion is also

evident when looking at the extensive number of subsidiaries own by Sony Corporation. In 2008,

it was recorded that Sony had 991 consolidated subsidiaries ("Sony Corporation Form 20 F,"

2008, p. 2). A small sample of the subsidiaries include Sony Mobile, Sony Music, Sony Europe,

Japan Display, Sony Real Estate Corporation, and Sony South Africa ("Sony Corporation Form

20 F," 2008). Even Sony Pictures Entertainment has different divisions. The three divisions

included in Sony Pictures Entertainment are Sony Pictures Motion Picture Group, Sony Pictures

Studio, and Sony Pictures Television (Company History, 2017). Sony Corporation is a very

large and extensive company. Being such a huge organization brings a large threat of potential

crises.

Sony Corporation has a complicated history of experiencing hacking crises. Sony has

been the target of multiple cyber-attacks. It all started in 2005, when Sony created a copy

protection software that was supposed to stop music pirating. The program actually changed the

consumers computer system and ended up making the computer more vulnerable to hacking.

This scandal has been accredited to the start of Sonys problems because it angered the public,

especially the hacker community. Then in 2010 a 17-year-old, George Hotz, hacked his

PlayStation. By doing so he was able to pirate games and he release the codes to the public.

Sony retaliated by suing Hotz and other hackers involved. This angered hackers further. In

reaction to Sonys action a group called Anonymous threatened and took down in PlayStation
CASE STUDY OF SONY PICTURES HACKING CRISIS 4

system in two weeks. The complete system was down for 23 days and costed Sony $171 million.

The following six months lead to over 21 more cyber-attacks. Some were not serious, but some

caused major damage. For example, one hacking group stole over 1,000,000 account information

such as passwords and even home addresses. Information breaches like this caused Sonys stock

price to fall 40 percent (Estes, 2104). Sonys history of being prone to cyber-attacks lowered the

publics trust of Sony Corporation.

Crisis Overview

Unfortunately for Sony, this was just the beginning of the cyber-attacks it experienced. In

2014, Sony Pictures Entertainment experienced what was labeled as the worst cyber-attack on a

United States company. The reason for this is because it seems to have a larger effect on the

country instead of just the company. This hack was unique in nature because it was not after

personal information such as credit card and banking data. This particular hack had a bigger

purpose which the government believes was an attack on the United States. The government

blames North Korea of the attack (Sullivan, 2016). This cyber-attack was and still is a long-

complicated crisis for Sony.

It started on November 24, 2014 when the hackers obtained all of Sonys internal data.

They demanded that Sony complied with all of their demands. Due to the technological breech

Sony was forced to work without any of technology including all phones, computers and emails

for weeks. In the beginning of the attack it was uncertain who was responsible for the attack but

by November 28th, North Korea became a main suspect.

The hacking was very dangerous because it leaked a majority of Sonys private

information. The information began to be leaked as early as November 27th. The first leak was

five Sony movies which were put on online sharing hubs. These movies were Fury, Annie, Mr.
CASE STUDY OF SONY PICTURES HACKING CRISIS 5

Turner, Still Alice, and To Write Love on Her Arms. On December 8th, bonus salaries on Sony

executives were leaked as well as salaries of more than 6,0000 employees. Information of the

cast and crew of many movies were shared as well. This included passports and visas of

celebrities like Angelia Jolie and Johan Hill. (Robb, 2014)

The cyber-attack was extremely damaging to Sonys reputation because the hackers

gained access to private email conversations of the employees. The conversations that were

shared were very negative. One example is a collection of Sony employees critiques of the actor

Adam Sandlers movies. Amy Pascal, co-chairman of Sony Pictures, conversations were also

shared with the public. In one email she was discussing Angelina Jolie and her film Cleopatra

and Pascal said Im not destroying my career over a minimally talented spoiled brat (Robb,

2014). Another one of Pascals conversations with Scott Rudin, producer, was released on

December 10th. This conversation was about Barack Obama and that his so called favorite

movies all are black-themed. (Robb, 2014)

A substantial amount of the crisis surrounded one movie in particular, The Interview. The

comedy stars Seth Rogan and James Franco whose characters are sent to assassinate the North

Korean leader. This is one reason that North Korea is a main suspect for the attack. The hackers

said this on December 16th:

We will clearly show it to you at the very time and places The Interview be shown,

including the premiere, how bitter fate those who seek fun in terror should be doomed

to. Soon all the world will see what an awful movie Sony Pictures Entertainment has

made. The world will be full of fear. Remember the 11th of September 2001. We

recommend you to keep yourself distant from the places at that time (Robb, 2014).
CASE STUDY OF SONY PICTURES HACKING CRISIS 6

Shortly after this very threatening statement, the FBI confirmed that North Korea was behind the

attack although North Korea denied its involvement. This further angered the hackers and

threatened to attack the White House, the Pentagon and the United States mainland. (Robb,

2014)

Phase 1: Crisis Pre-crisis

Sony Pictures Entertainment crisis management has a lot on its hands when it comes to pre-

crisis actions. Sony started its pre-crisis prevention by looking for red-flags or potential crises

that could affect its organization. One key example of this was on November 3rd, 2014, which

was just three weeks before the cyber-attack. Sony hired a small four-man team from Norse

Corporations who specialize in threat intelligence to help with preventing future hacks.

Obviously, this was not enough to stop the biggest hack that has ever happened.

Phase 2: Crisis Response

Due to the extent of the crisis, there were many different types of crisis responses from Sony.

The hacking crisis brought a plethora of issues for Sony and the company needed to respond to

all of them. The first recorded response came from the spokesperson, Jean Guerin, who said that

We are investigating an IT matter on November 25th (Robb, 2014). The chief Michael and

Lynton and Amy Pascal issued a statement to the employees one week after the attack. The

statement said:

It is now apparent that a large amount of confidential Sony Pictures Entertainment data

has been stolen by the cyber attackers, including personnel information and business

documents. This is the result of a brazen attack on our company, our employees and our

business partnersWhile we are not yet sure of the full scope of information that the

attackers have or might release, we unfortunately have to ask you to assume that
CASE STUDY OF SONY PICTURES HACKING CRISIS 7

information about you in the possession of the company might be in their

possessionWe cant overemphasize our appreciation to all of you for your

extraordinary hard work, commitment and resolve (Robb, 2014).

In response to the email leaks, Sony issued official apologies for the employees behavior.

Rudin gave an apology for the email conversation that was considered racist about Obama. He

said to anybody that Ive offended, Im profoundly and deeply sorry, and I regret and apologize

for any injury they might have caused (Robb, 2014). Pascal had her response after Rudin. She

said Everyone at tis company has been violated and nobody here deserved this. I am so

disappointed in myself that I ever would have had such a lapse in my thinking. Of all the things I

thought might be said about me, this was the last one, and I feel awful (Robb, 2014).

One of the most important responses Sony Pictures had was the response to the threats against

The Interview. When the hackers started the threaten the movie theaters and those who attended

the movie, Sony told theater owners that they do not have to show the movie if they do not feel

comfortable with it. Sony also made the decision to not release the movie on Christmas Day,

which was the original plan. Instead of the movie showing in theaters, Sony made the film

available for people to rent on platforms such as YouTube Movies, Google Play, Microsofts

Xbox Video, and a special Sony website. It was also available for purchase. (Robb, 2014)

Phase 3: Post-crisis

This is the stage that Sony Pictures Entertainment still is in. It took a while for the attack to

blow over. After this hacking crisis the focus was heightening Sonys security and gaining the

stakeholders trust again. The company lost more than $41 million from the hack. This amount is

not including the cost of investigations, IT repairs, and lost profits. After the crisis Sony

dedicated itself to rebuilding a whole new computer network that will be stronger. This system
CASE STUDY OF SONY PICTURES HACKING CRISIS 8

will keep as little as possible information on its network and keep the rest on a program that is

not on the internet and the data will be encrypted. In order to protect emails, they will be

archived after a few weeks. Sony also planned on restricting employee access to information that

is not needed for their specific jobs. (Elkind, 2015)

Analysis of crisis management

The crisis management of the cyber hack is a very controversial subject. Some aspects of

Sonys actions were great while a majority of them were not. A major reason for this is that they

did not have a crisis plan, which CEO Michael Lynton admitted. He said that the company made

up responses as the crisis went along (Faughnder, 2015). Not having a strong crisis plan in place

for a cyber-attack greatly affected every aspect of the crisis management.

The pre-crisis stage was hurt by not having a crisis plan because the organization did not know

what to look for. Even though Sony has experienced hackings in the past, they never learned

from them. Sonys crisis team should have used warning signs from previous crises to help

prevent this major crisis. The pre-crisis stage should have been used to find red-flag and solve

them. The crisis could have been prevented or at least minimized if Sony trained its employees

correctly. The crisis team should have known that the employees of any organization pose as a

threat. Because of this they should be trained on how to properly and ethically used technology

such as email. There should have never been such harmful emails to get leaked. Sony is one of

the largest technological companies so they should have had an idea of what would lead to

hacks.

In the crisis response stage, not having a crisis plan hurt Sony greatly. A strong crisis plan

gives everyone in the company a strong template for how to act and what to say during a crisis.

Well-practiced crisis management plans, crisis public relations plans and strategies provide the
CASE STUDY OF SONY PICTURES HACKING CRISIS 9

means to gather and release information as quickly as possible during a crisis which would have

been very helpful to Sony. During the crisis, Sony was not being consistent with releasing

information quickly. For example, the response to the employees was done a full week and two

days after the initial hack. In such an impactful crisis and hack this was way too slow for a

response. Also some of the responses were not well though tout, such as Pascals response to her

emails about Obama. Pascal did not formally apologize but instead said she felt bad. This is not a

proper response to her actions.

Sony Pictures post crisis response was the best part of its poor crisis plan. This is because

after the crisis Sony decided to learn from its past mistakes. Sony made the tough decision to

spend even more money to fix the cyber security. The crisis team obviously conducted the

evaluation stage of post crisis which is a key step. The evaluation stage showed what caused the

hack which allowed the organization to learn how to fix it, or at least prevent it in the future.

Sony has been doing better since the cyber-attack of 2014. The most major hacks that it has

experienced since is when its twitter accounts have been hacked. Although these still are

damaging to Sony, they are nowhere near the extent of the 2014 hack.

Analysis of journalistic coverage

This hack was labeled as the worst cyber-attack to date. This has obviously brought a lot of

attention from the media. The media covered every aspect of the crisis from the breaking news of

the hack, to the information that the hackers released, to responses of the public. During the

crisis Sony did not have the best relationship with media outlets which was shown in how the

media covered the story.

A good portion of the media coverage was focused on explaining exactly what was

happening. This was important because it was confusing of what exactly was happening. The
CASE STUDY OF SONY PICTURES HACKING CRISIS 10

public was very concerned about the hack because of North Koreas potential involvement. This

was positive news coverage unlike other stories that the media covered. The media covered the

different email conversations that were leaked. Numerous news outlets wrote articles that shared

all of the email scandals Sony was involved in. For example, the online blog titled The Wrap has

an article titled Greatest Hits of Leaked Sony Emails: Angelina Jolie, Aloha, David Fincher

and More. This article includes a broken-down list of the most impactful and shocking emails

from Sony employees. The article also includes actual photos of the emails for proof (Verhoeven

& Donnelly, 2015). This is a very popular type of article that was written during the time of the

crisis which made Sony very frustrated.

A main reason that Sony had a negative relationship with the media was because Sony asked

the media not to cover the leaks. Sonys attorney sent a letter to outlets that said We are writing

to ensure that you are aware that SPE does not consent to your possession, review, copying,

dissemination, publication, uploading, downloading or making any use of the stolen information

(Feeney, 2014). This was not helpful to their relationships because Sony threatened to sue all

news outlets that did not listen to the lawyer. The media did not react well to this threat and

continued to post the information.

Recommendations

Although the crisis most likely was not completely avoidable, if Sony followed these

recommendations it would have not been as devastating as it was. Sony could of improved vastly

on each and every stage of the crisis response. The most obvious recommendation is that Sony

should have had a complete and extensive crisis plan for a hack. This is an obvious

recommendation because Sony was no stranger to hacks. The company has been hacked
CASE STUDY OF SONY PICTURES HACKING CRISIS 11

numerous times in the past so it is surprising that it didnt have a plan. Having a plan would of

helped on how to deal in each phase of the crisis.

Pre-crisis

Besides of having better cyber security, Sony could have taken a lot more precautions during

the pre-crisis phase. A recommendation I would give for the crisis team would have been to

educate the spokesperson, head leaders, and employees on crisis threats to the organization.

Educating the employees of the risk that their emails might be hacked would of made them more

careful of what they said. Although the hack would have been detrimental no matter what, if the

unprofessional emails were not there the crisis would not have effected Sony as much.

Employees are some of the highest risk a company has. During pre-crisis, Sony should have been

carefully watching them to make sure they were acting in a professional manner that correctly

represented Sony.

Crisis Response

Sony was the first organization to ever experience a cyber-attack of this extend so it is

partially understandable that Sony did not handle it perfectly. However, some of the mistakes are

so obviously wrong that a large corporation like Sony, should not have made. There are lots of

improvements that could have been possible for handling this crisis. One recommendation would

be to improve the response that were made. During a crisis, a spokesperson should be

responsible for conveying information to the public. In this case, Sony did not use a consistent

spokesperson to share the information. This added to the confusion around the crisis. Jean

Guerin, Sonys typical spokesperson, only shared one statement. The company should have

chosen one person who could constantly be in contact with the media. Due to the extent of the

crisis it would have been smart to have selected the CEO as the spokesperson.
CASE STUDY OF SONY PICTURES HACKING CRISIS 12

Another recommendation would be that Sony should have framed the crisis in a more

flattering way. This crisis could have been framed in multiple different ways that could have

actually benefited Sony. For example, they could have used it as an opportunity to promote the

movie, The Interview. If Sony did this they would have taken control of the situation and taken

the offensive and not have been seen as the victim as much. They also could have framed it as

not as big of a problem. They could have done this by highlighting that no one has been hurt and

similar hacking of information has been done before. If Sony framed the cyber-attack in a

positive way then Sony would have given the illusion at least that the crisis was under control. If

Sony had a crisis plan it would have allowed the organization to reply quicker which would have

given them the time to strategically frame the crisis.

Post-crisis

Post-crisis actions can be just as important as the crisis response. Yet, this is a part of a crisis

plan that can be easily over looked. Sony could improve its post-crisis actions by being more

accessible and offering information about the hack. The Sony website has no information about

the cyber-attack. This is problematic because it was such an influential event for not only the

company, but the nation as a whole. If Sony provided its own compilation of data from this

milestone event, it would show that the company is trying to be transparent. This would assist in

gaining back trust from stakeholders.

Conclusion

Studying the Sony Pictures hacking crisis of 2014 brings a lot of important crisis planning

issues to light. The hack alerted millions of the potential threats that all companies who rely on

technology face every day. Crises can be inevitable so organizations need to be prepared to
CASE STUDY OF SONY PICTURES HACKING CRISIS 13

handle one, which Sony was not. Sony is a perfect example of how not having a strong crisis

plan will hinder the success of a companys response to a crisis.

CASE STUDY OF SONY PICTURES HACKING CRISIS 14

References

Company History. (2017). Retrieved from http://www.sonypictures.com/corp/history.html#2010

Corporate Info. (2017). Retrieved from https://www.sony.net/SonyInfo/CorporateInfo/History/

Eadicicco, L. (2017). Can Apple Make You Want An iPad Again? Retrieved from

http://time.com/4657459/apple-ipad-2017/

Elkind, P. (2015). Part 3: the cyberbomb is detonated. Retrieved from http://fortune.com/sony-

hack-final-part/

Estes, A. C. (2104). Why Sony Keeps Getting Hacked. Retrieved from http://gizmodo.com/why-

sony-keeps-getting-hacked-1667259233

Faughnder, R. (2015). Exclusive: A year after the hack, Sonys chief explains how Hollywood

heals its wounds. Retrieved from

http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-hack-year-later-

20151118-story.html

Feeney, N. (2014). Sony Asks Media to Stop Covering Hacked Emails. Retrieved from

http://time.com/3633385/sony-hack-emails-media/

Marra, F. J. (1998). Crisis communication plans: Poor predictors of excellent crisis public

relations. Public Relations Review, 24(4), 461. Retrieved

from http://ezproxy.messiah.edu/login?url=http://search.ebscohost.com/login.aspx?direct

=true&db=ufh&AN=1576956&site=ehost-live&scope=site

Robb, D. (2014). Sony Hack: A Timeline. Retrieved from http://deadline.com/2014/12/sony-

hack-timeline-any-pascal-the-interview-north-korea-1201325501/

Rowinski, D. (2012). Why The New iPad Should Never Have Been Released. Retrieved from

http://readwrite.com/2012/10/24/the-new-ipad-should-never-have-been-released/
CASE STUDY OF SONY PICTURES HACKING CRISIS 15

Sony Corporation Form 20 F. (2008). Retrieved from

https://www.sec.gov/Archives/edgar/data/313838/000114554908001104/k01608e20vf.ht

m#167

Sullivan, C. (2016, July 21). The 2014 Sony Hack and the role of international Law. Journal of

National Secruity Law & Policy. Retrieved from http://jnslp.com/2016/07/21/2014-sony-

hack-role-international-law/

Verhoeven, B., & Donnelly, M. (2015). Greatest Hits of Leaked Sony Emails: Angelina Jolie,

Aloha, David Fincher and More. Retrieved from http://www.thewrap.com/greatest-hits-

leaked-sony-emails-angelina-jolie-aloha-david-fincher/