Sony Corp. (6758) was warned about a year ago thathackers had infiltrated its network and were stealing gigabytesof data several times a week, underscoring a pattern of lapsespredating a recent attack that has spilled Sony Pictures’secrets onto the Internet.

The hackers, who haven’t been identified, sifted in late2013 through data from the company’s network, encrypted theinformation to cover their tracks and mined it on a regularschedule, said a person familiar with Sony’s investigation ofthe breach who asked not to be named because the findings areconfidential.

The company’s cybersecurity problems date at least as farback as 2011, with a breach of Sony’s PlayStation video-gamenetwork.

In the most recent indication of Sony’s vulnerability,hackers since early December have been releasing sensitiveinformation from the company’s Sony Pictures unit, including onsalaries, employee health data and racially tinged e-mail banterover U.S. President Barack Obama’s taste in movies. Another leakshowed that Sony Chief Executive Officer Kazuo Hirai approved ascene in the coming movie “The Interview” that depicted thefictional assassination of North Korean leader Kim Jong Un.

The extent of the breach last year was discovered by anoutside contractor after Tokyo-based Sony found suspicioustraffic on its corporate computers and requested an analysis,the person said.

Security Holes

The discovery was part of a companywide review ofcybersecurity practices following the 2011 hack that extendedfor more than two years and which, while shoring up the securityof some parts of the network, left holes remaining, four peoplefamiliar with the Japanese company’s investigations said.

Jennifer Clark, a Sony spokeswoman, said the company hiredformer Department of Homeland Security official Philip Reitingerin 2011 and under his leadership has since bolstered itsinformation-security program.

“Sony is unfortunate,” said Rick Dakin, co-founder andCEO of Coalfire Systems Inc., a Louisville, Colorado, auditingand compliance-assessment company. “They are a two-time loserbefore they could right the ship. However, the wake-up call isfor everyone else.”

Cybercriminals targeted Sony in 2011 after it sued a youngresearcher when he exposed security vulnerabilities in thePlayStation 3 console. And for the past month, the company hasgrappled with anger over “The Interview,” a comedy from itsHollywood film studio starring Seth Rogen and James Franco thatis scheduled for release on Christmas Day.

DarkSeoul Link

Sony is conducting an internal probe that has linked thelatest attack to a suspected North Korean hacking group known asDarkSeoul, according to two of the people familiar with thecompany’s investigation.

The three incidents over the last several years show thatdespite spending millions of dollars, Sony continued to strugglewith flaws exposed by the 2011 breach -- which people familiarwith the investigation said was deeper than the company hasdisclosed.

Sony has said the 2011 hack involved the theft of personaldata on 77 million PlayStation Network users. But two of thepeople familiar with the incident said it also involved the lossof highly sensitive corporate data. That included keys to thePlayStation Network’s digital-rights management software, whichSony uses to fight piracy, and its user-authentication database,one of the people said. Those tools allowed hackers to stealvideo games, movies and music and sell copies on the blackmarket, the two people said.

No Audit

Even after discovering the thefts, Sony didn’t conduct anaudit to determine how much content was stolen, one of thepeople said.

Clark, the Sony spokeswoman, said the company doesn’tdiscuss specifics but had no indication the 2011 breach wentfurther than it previously said or that there was a subsequentincrease in piracy.

Also, Sony at the time blamed the breach on the looselyorganized Anonymous hacking group, which denied stealing data.

Investigators for Sony found that at least three hackinggroups had infiltrated the PlayStation Network during that time,one of the people said. The group causing the most damage was aRussian ring that had been inside the network for two years,stealing and selling video games, the person said.

Decentralized Structure

Sony significantly improved the security of the PlayStationNetwork after the breach but didn’t sufficiently addresssecurity issues elsewhere at the company, the people familiarwith the investigations said.

Unlike banks and government agencies that are accustomed todeflecting high-level hacking attacks, Sony has been poorlyprepared for the intrusions in part because its decentralizedstructure means security improvements in one division don’tnecessarily translate to other units, the people familiar withthe investigations and other security experts said.

A large corporate structure shouldn’t be a barrier tosharing security data, said Mike Davis, chief technology officerof CounterTack Inc., a security firm based in Santa Monica,California.

“Many large multinational companies with divisionalstructures have successfully defended or at least mitigatedthese types of attacks,” he said.

Sony could face a worse scenario over the coming monthsthan it did after the 2011 breach, according to security expertswho have studied the latest data leaked by hackers.

‘Treasure Map’

The files obtained in the latest intrusion containsensitive information on almost every aspect of the company’sdigital security, including instructions on how to access keydatabases and digital certificates meant to secure the Sony’scomputers and data.

“This information is effectively like giving the world achild’s treasure map, a very simple dotted line to follow with abig red X that says, ‘Treasure Here,’” said Jody Brazil,founder and CEO of FireMon, a security firm based in OverlandPark, Kansas.

“They are going to have a very, very difficult timeinsuring that any actions they take to clean this is going tohave any lasting effect,” he said.

To contact the reporters on this story:Jordan Robertson in Washington at [email protected];Michael Riley in Washington at [email protected]

To contact the editors responsible for this story:Sara Forden at [email protected];Pui-Wing Tam at [email protected]y Robinson, Andrew Pollack