Professional Documents
Culture Documents
Megan Anderson
Messiah College
Crisis Communication
Anthony Eseke
April 5, 2017
CASE STUDY OF SONY PICTURES HACKING CRISIS 2
Introduction
With our society relying more and more on technology, there comes new and even unknown
risks. Technology is not always safe and can be breached. Hackers can infiltrate online databases
and release confidential information to the public that can be both financially and reputationally
damaging to a company. In 2014, Sony Pictures Entertainment experienced one of the worst
cyber-attacks to date. Crisis managers can learn a lot from this case study including what to do
and what not to do during a cyber-attack crisis. This paper will highlight the importance of the
History of Sony
In 1919 three men, Jack Cohn, Harry Cohn, and Joe Brandt, founded CBC Film Sales.
Shortly after, in 1921, Colombia Pictures Corporation bought CBC Film Sales. As film and
television became increasingly popular, Colombia Pictures experienced great success. For
example, in 1948 it was one of the first studios to work in television. The Coca-Cola Company
then bought Columbia Pictures Industries, Columbia Pictures parent company, in 1982.
Columbia Pictures continued to grow and merged with TriStar Pictures and forms Columbia
Pictures Entertainment in 1987. Coca-Cola then sold Columbia Pictures Entertainment in 1989 to
Sony Corporation. The company then changed the name to Sony Pictures Entertainment in 1991
Sony Pictures Entertainment is just one aspect of its parent company Sony Corporation.
Sony Corporation is a large and powerful company that has its hands in many different markets.
Sony has held the mission that it is a company that inspires and fulfills your curiosity ever
since its founding in 1946 ("Corporate Info," 2017). Sony Corporation was founded in Tokyo
CASE STUDY OF SONY PICTURES HACKING CRISIS 3
Japan by Masaru Ibuka. Ever since 1946, Sony Corporation has expanded in multiple ways,
including expanding to different countries and expanding to new products. In a study conducted
in 2008, it was found that only 23.2 percent of Sonys sales and operating revenue in the fiscal
year were originally recorded in Japan ("Sony Corporation Form 20 F," 2008, p. 10). This is
just one fact the highlights how Sony Corporation has been expanding. The expansion is also
evident when looking at the extensive number of subsidiaries own by Sony Corporation. In 2008,
it was recorded that Sony had 991 consolidated subsidiaries ("Sony Corporation Form 20 F,"
2008, p. 2). A small sample of the subsidiaries include Sony Mobile, Sony Music, Sony Europe,
Japan Display, Sony Real Estate Corporation, and Sony South Africa ("Sony Corporation Form
20 F," 2008). Even Sony Pictures Entertainment has different divisions. The three divisions
included in Sony Pictures Entertainment are Sony Pictures Motion Picture Group, Sony Pictures
Studio, and Sony Pictures Television (Company History, 2017). Sony Corporation is a very
large and extensive company. Being such a huge organization brings a large threat of potential
crises.
Sony Corporation has a complicated history of experiencing hacking crises. Sony has
been the target of multiple cyber-attacks. It all started in 2005, when Sony created a copy
protection software that was supposed to stop music pirating. The program actually changed the
consumers computer system and ended up making the computer more vulnerable to hacking.
This scandal has been accredited to the start of Sonys problems because it angered the public,
especially the hacker community. Then in 2010 a 17-year-old, George Hotz, hacked his
PlayStation. By doing so he was able to pirate games and he release the codes to the public.
Sony retaliated by suing Hotz and other hackers involved. This angered hackers further. In
reaction to Sonys action a group called Anonymous threatened and took down in PlayStation
CASE STUDY OF SONY PICTURES HACKING CRISIS 4
system in two weeks. The complete system was down for 23 days and costed Sony $171 million.
The following six months lead to over 21 more cyber-attacks. Some were not serious, but some
caused major damage. For example, one hacking group stole over 1,000,000 account information
such as passwords and even home addresses. Information breaches like this caused Sonys stock
price to fall 40 percent (Estes, 2104). Sonys history of being prone to cyber-attacks lowered the
Crisis Overview
Unfortunately for Sony, this was just the beginning of the cyber-attacks it experienced. In
2014, Sony Pictures Entertainment experienced what was labeled as the worst cyber-attack on a
United States company. The reason for this is because it seems to have a larger effect on the
country instead of just the company. This hack was unique in nature because it was not after
personal information such as credit card and banking data. This particular hack had a bigger
purpose which the government believes was an attack on the United States. The government
blames North Korea of the attack (Sullivan, 2016). This cyber-attack was and still is a long-
It started on November 24, 2014 when the hackers obtained all of Sonys internal data.
They demanded that Sony complied with all of their demands. Due to the technological breech
Sony was forced to work without any of technology including all phones, computers and emails
for weeks. In the beginning of the attack it was uncertain who was responsible for the attack but
The hacking was very dangerous because it leaked a majority of Sonys private
information. The information began to be leaked as early as November 27th. The first leak was
five Sony movies which were put on online sharing hubs. These movies were Fury, Annie, Mr.
CASE STUDY OF SONY PICTURES HACKING CRISIS 5
Turner, Still Alice, and To Write Love on Her Arms. On December 8th, bonus salaries on Sony
executives were leaked as well as salaries of more than 6,0000 employees. Information of the
cast and crew of many movies were shared as well. This included passports and visas of
The cyber-attack was extremely damaging to Sonys reputation because the hackers
gained access to private email conversations of the employees. The conversations that were
shared were very negative. One example is a collection of Sony employees critiques of the actor
Adam Sandlers movies. Amy Pascal, co-chairman of Sony Pictures, conversations were also
shared with the public. In one email she was discussing Angelina Jolie and her film Cleopatra
and Pascal said Im not destroying my career over a minimally talented spoiled brat (Robb,
2014). Another one of Pascals conversations with Scott Rudin, producer, was released on
December 10th. This conversation was about Barack Obama and that his so called favorite
A substantial amount of the crisis surrounded one movie in particular, The Interview. The
comedy stars Seth Rogan and James Franco whose characters are sent to assassinate the North
Korean leader. This is one reason that North Korea is a main suspect for the attack. The hackers
We will clearly show it to you at the very time and places The Interview be shown,
including the premiere, how bitter fate those who seek fun in terror should be doomed
to. Soon all the world will see what an awful movie Sony Pictures Entertainment has
made. The world will be full of fear. Remember the 11th of September 2001. We
recommend you to keep yourself distant from the places at that time (Robb, 2014).
CASE STUDY OF SONY PICTURES HACKING CRISIS 6
Shortly after this very threatening statement, the FBI confirmed that North Korea was behind the
attack although North Korea denied its involvement. This further angered the hackers and
threatened to attack the White House, the Pentagon and the United States mainland. (Robb,
2014)
Sony Pictures Entertainment crisis management has a lot on its hands when it comes to pre-
crisis actions. Sony started its pre-crisis prevention by looking for red-flags or potential crises
that could affect its organization. One key example of this was on November 3rd, 2014, which
was just three weeks before the cyber-attack. Sony hired a small four-man team from Norse
Corporations who specialize in threat intelligence to help with preventing future hacks.
Obviously, this was not enough to stop the biggest hack that has ever happened.
Due to the extent of the crisis, there were many different types of crisis responses from Sony.
The hacking crisis brought a plethora of issues for Sony and the company needed to respond to
all of them. The first recorded response came from the spokesperson, Jean Guerin, who said that
We are investigating an IT matter on November 25th (Robb, 2014). The chief Michael and
Lynton and Amy Pascal issued a statement to the employees one week after the attack. The
statement said:
It is now apparent that a large amount of confidential Sony Pictures Entertainment data
has been stolen by the cyber attackers, including personnel information and business
documents. This is the result of a brazen attack on our company, our employees and our
business partnersWhile we are not yet sure of the full scope of information that the
attackers have or might release, we unfortunately have to ask you to assume that
CASE STUDY OF SONY PICTURES HACKING CRISIS 7
In response to the email leaks, Sony issued official apologies for the employees behavior.
Rudin gave an apology for the email conversation that was considered racist about Obama. He
said to anybody that Ive offended, Im profoundly and deeply sorry, and I regret and apologize
for any injury they might have caused (Robb, 2014). Pascal had her response after Rudin. She
said Everyone at tis company has been violated and nobody here deserved this. I am so
disappointed in myself that I ever would have had such a lapse in my thinking. Of all the things I
thought might be said about me, this was the last one, and I feel awful (Robb, 2014).
One of the most important responses Sony Pictures had was the response to the threats against
The Interview. When the hackers started the threaten the movie theaters and those who attended
the movie, Sony told theater owners that they do not have to show the movie if they do not feel
comfortable with it. Sony also made the decision to not release the movie on Christmas Day,
which was the original plan. Instead of the movie showing in theaters, Sony made the film
available for people to rent on platforms such as YouTube Movies, Google Play, Microsofts
Xbox Video, and a special Sony website. It was also available for purchase. (Robb, 2014)
Phase 3: Post-crisis
This is the stage that Sony Pictures Entertainment still is in. It took a while for the attack to
blow over. After this hacking crisis the focus was heightening Sonys security and gaining the
stakeholders trust again. The company lost more than $41 million from the hack. This amount is
not including the cost of investigations, IT repairs, and lost profits. After the crisis Sony
dedicated itself to rebuilding a whole new computer network that will be stronger. This system
CASE STUDY OF SONY PICTURES HACKING CRISIS 8
will keep as little as possible information on its network and keep the rest on a program that is
not on the internet and the data will be encrypted. In order to protect emails, they will be
archived after a few weeks. Sony also planned on restricting employee access to information that
The crisis management of the cyber hack is a very controversial subject. Some aspects of
Sonys actions were great while a majority of them were not. A major reason for this is that they
did not have a crisis plan, which CEO Michael Lynton admitted. He said that the company made
up responses as the crisis went along (Faughnder, 2015). Not having a strong crisis plan in place
The pre-crisis stage was hurt by not having a crisis plan because the organization did not know
what to look for. Even though Sony has experienced hackings in the past, they never learned
from them. Sonys crisis team should have used warning signs from previous crises to help
prevent this major crisis. The pre-crisis stage should have been used to find red-flag and solve
them. The crisis could have been prevented or at least minimized if Sony trained its employees
correctly. The crisis team should have known that the employees of any organization pose as a
threat. Because of this they should be trained on how to properly and ethically used technology
such as email. There should have never been such harmful emails to get leaked. Sony is one of
the largest technological companies so they should have had an idea of what would lead to
hacks.
In the crisis response stage, not having a crisis plan hurt Sony greatly. A strong crisis plan
gives everyone in the company a strong template for how to act and what to say during a crisis.
Well-practiced crisis management plans, crisis public relations plans and strategies provide the
CASE STUDY OF SONY PICTURES HACKING CRISIS 9
means to gather and release information as quickly as possible during a crisis which would have
been very helpful to Sony. During the crisis, Sony was not being consistent with releasing
information quickly. For example, the response to the employees was done a full week and two
days after the initial hack. In such an impactful crisis and hack this was way too slow for a
response. Also some of the responses were not well though tout, such as Pascals response to her
emails about Obama. Pascal did not formally apologize but instead said she felt bad. This is not a
Sony Pictures post crisis response was the best part of its poor crisis plan. This is because
after the crisis Sony decided to learn from its past mistakes. Sony made the tough decision to
spend even more money to fix the cyber security. The crisis team obviously conducted the
evaluation stage of post crisis which is a key step. The evaluation stage showed what caused the
hack which allowed the organization to learn how to fix it, or at least prevent it in the future.
Sony has been doing better since the cyber-attack of 2014. The most major hacks that it has
experienced since is when its twitter accounts have been hacked. Although these still are
damaging to Sony, they are nowhere near the extent of the 2014 hack.
This hack was labeled as the worst cyber-attack to date. This has obviously brought a lot of
attention from the media. The media covered every aspect of the crisis from the breaking news of
the hack, to the information that the hackers released, to responses of the public. During the
crisis Sony did not have the best relationship with media outlets which was shown in how the
A good portion of the media coverage was focused on explaining exactly what was
happening. This was important because it was confusing of what exactly was happening. The
CASE STUDY OF SONY PICTURES HACKING CRISIS 10
public was very concerned about the hack because of North Koreas potential involvement. This
was positive news coverage unlike other stories that the media covered. The media covered the
different email conversations that were leaked. Numerous news outlets wrote articles that shared
all of the email scandals Sony was involved in. For example, the online blog titled The Wrap has
an article titled Greatest Hits of Leaked Sony Emails: Angelina Jolie, Aloha, David Fincher
and More. This article includes a broken-down list of the most impactful and shocking emails
from Sony employees. The article also includes actual photos of the emails for proof (Verhoeven
& Donnelly, 2015). This is a very popular type of article that was written during the time of the
A main reason that Sony had a negative relationship with the media was because Sony asked
the media not to cover the leaks. Sonys attorney sent a letter to outlets that said We are writing
to ensure that you are aware that SPE does not consent to your possession, review, copying,
dissemination, publication, uploading, downloading or making any use of the stolen information
(Feeney, 2014). This was not helpful to their relationships because Sony threatened to sue all
news outlets that did not listen to the lawyer. The media did not react well to this threat and
Recommendations
Although the crisis most likely was not completely avoidable, if Sony followed these
recommendations it would have not been as devastating as it was. Sony could of improved vastly
on each and every stage of the crisis response. The most obvious recommendation is that Sony
should have had a complete and extensive crisis plan for a hack. This is an obvious
recommendation because Sony was no stranger to hacks. The company has been hacked
CASE STUDY OF SONY PICTURES HACKING CRISIS 11
numerous times in the past so it is surprising that it didnt have a plan. Having a plan would of
Pre-crisis
Besides of having better cyber security, Sony could have taken a lot more precautions during
the pre-crisis phase. A recommendation I would give for the crisis team would have been to
educate the spokesperson, head leaders, and employees on crisis threats to the organization.
Educating the employees of the risk that their emails might be hacked would of made them more
careful of what they said. Although the hack would have been detrimental no matter what, if the
unprofessional emails were not there the crisis would not have effected Sony as much.
Employees are some of the highest risk a company has. During pre-crisis, Sony should have been
carefully watching them to make sure they were acting in a professional manner that correctly
represented Sony.
Crisis Response
Sony was the first organization to ever experience a cyber-attack of this extend so it is
partially understandable that Sony did not handle it perfectly. However, some of the mistakes are
so obviously wrong that a large corporation like Sony, should not have made. There are lots of
improvements that could have been possible for handling this crisis. One recommendation would
be to improve the response that were made. During a crisis, a spokesperson should be
responsible for conveying information to the public. In this case, Sony did not use a consistent
spokesperson to share the information. This added to the confusion around the crisis. Jean
Guerin, Sonys typical spokesperson, only shared one statement. The company should have
chosen one person who could constantly be in contact with the media. Due to the extent of the
crisis it would have been smart to have selected the CEO as the spokesperson.
CASE STUDY OF SONY PICTURES HACKING CRISIS 12
Another recommendation would be that Sony should have framed the crisis in a more
flattering way. This crisis could have been framed in multiple different ways that could have
actually benefited Sony. For example, they could have used it as an opportunity to promote the
movie, The Interview. If Sony did this they would have taken control of the situation and taken
the offensive and not have been seen as the victim as much. They also could have framed it as
not as big of a problem. They could have done this by highlighting that no one has been hurt and
similar hacking of information has been done before. If Sony framed the cyber-attack in a
positive way then Sony would have given the illusion at least that the crisis was under control. If
Sony had a crisis plan it would have allowed the organization to reply quicker which would have
Post-crisis
Post-crisis actions can be just as important as the crisis response. Yet, this is a part of a crisis
plan that can be easily over looked. Sony could improve its post-crisis actions by being more
accessible and offering information about the hack. The Sony website has no information about
the cyber-attack. This is problematic because it was such an influential event for not only the
company, but the nation as a whole. If Sony provided its own compilation of data from this
milestone event, it would show that the company is trying to be transparent. This would assist in
Conclusion
Studying the Sony Pictures hacking crisis of 2014 brings a lot of important crisis planning
issues to light. The hack alerted millions of the potential threats that all companies who rely on
technology face every day. Crises can be inevitable so organizations need to be prepared to
CASE STUDY OF SONY PICTURES HACKING CRISIS 13
handle one, which Sony was not. Sony is a perfect example of how not having a strong crisis
References
Eadicicco, L. (2017). Can Apple Make You Want An iPad Again? Retrieved from
http://time.com/4657459/apple-ipad-2017/
hack-final-part/
Estes, A. C. (2104). Why Sony Keeps Getting Hacked. Retrieved from http://gizmodo.com/why-
sony-keeps-getting-hacked-1667259233
Faughnder, R. (2015). Exclusive: A year after the hack, Sonys chief explains how Hollywood
http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-hack-year-later-
20151118-story.html
Feeney, N. (2014). Sony Asks Media to Stop Covering Hacked Emails. Retrieved from
http://time.com/3633385/sony-hack-emails-media/
Marra, F. J. (1998). Crisis communication plans: Poor predictors of excellent crisis public
from http://ezproxy.messiah.edu/login?url=http://search.ebscohost.com/login.aspx?direct
=true&db=ufh&AN=1576956&site=ehost-live&scope=site
hack-timeline-any-pascal-the-interview-north-korea-1201325501/
Rowinski, D. (2012). Why The New iPad Should Never Have Been Released. Retrieved from
http://readwrite.com/2012/10/24/the-new-ipad-should-never-have-been-released/
CASE STUDY OF SONY PICTURES HACKING CRISIS 15
https://www.sec.gov/Archives/edgar/data/313838/000114554908001104/k01608e20vf.ht
m#167
Sullivan, C. (2016, July 21). The 2014 Sony Hack and the role of international Law. Journal of
hack-role-international-law/
Verhoeven, B., & Donnelly, M. (2015). Greatest Hits of Leaked Sony Emails: Angelina Jolie,
leaked-sony-emails-angelina-jolie-aloha-david-fincher/