Back to blog

Sony’s email was vulnerable to cyber-attack. What about yours?

Aug 28, 2015 by Thomas Madsen

The high-profile 2014 Sony Pictures hack highlighted vulnerabilities in one of the most common email storage methods. Standalone files obtained included at least 179 ‘PST’ mailboxes, including those of an executive at Sony Pictures Canada and one of its IT audit supervisors, as well as many archive and backup PST files.

At least 170,000 hacked individual Sony emails were subsequently published by Wikileaks, and Sony reputedly had to set aside $15m to deal with the fallout. Variety – not a journal normally associated with tech comment – noted “reverberations … across the entertainment industry”.

Variety’s right. The Sony hack prompted several other household name entertainment firms to ask for Quadrotech’s help migrating off PSTs as fast as they can. And these projects are being driven by the legal and compliance teams, not the technologists.

Is my organization at risk?

By their very nature, corporate emails contain a wealth of sensitive data. They’re often the database of record, which is why regulators insist they are auditable and retrievable. Any organisation using PST mailboxes is at risk.

The good news is that you can keep your email managed and secure very easily. Just outlaw the use of PST files in your organisation. If you can find them.

What is a PST file?

Since 1995 the ‘personal storage table’ (PST) has been the default format for storing messages and other items within Microsoft Exchange Client, Windows Messaging and Outlook. You may not even realise your organisation uses PSTs, but every PC or laptop set up with Outlook out-of-the-box automatically created a PST to store data on that machine.

We’re not just talking about current equipment. Older computers are reassigned to new staff all the time, and too many firms are lax about wiping disks when equipment is scrapped. Every single one has the potential for catastrophic data leakage.

That’s not all. While default PST files, PST archives and PST backups are automatically created in particular locations, power users may well alter those defaults. They’ll create other PST files at will, and will swap them around between different machines, shared drives and USB sticks. In the worst case we’ve seen, one HR staffer was managing 300 live PST files.

If PST files connected to Outlook are a big enough problem, tracking disconnected files is even worse. The very portability of PSTs means they accidentally end up in the wrong places, and they’re easily exported by the malicious. Like many security breaches, it’s speculated that the Sony case was an ‘inside job’.

Are there any other problems with PST files?

PSTs inhibit modernisation. Today users expect emails to be available on any device – PC, tablet, phone – anywhere. Windows 10 itself is all about using a common interface on any device. And cloud-based email systems like Office 365 and Gmail are there to provide centralised control and security.

By contrast, PSTs are unmanageable and inflexible. They are insecure, proprietary, stored offline locally, and notoriously difficult to police even if you have strict rules in place. And if you don’t have access to your users’ PSTs, how can you back them up? This is something the regulators have an eye on. For example, the pending change to the US Federal Rule of Civil Procedure 37E assumes you can retrieve critical data even if an employee deletes it – including emails. If you want to know more about this change, take a look at my colleague’s recent blog: Are PSTs ready for the 37E changes?

But despite being twenty-year-old technology, despite the management headaches and security implications, PST use is still growing. We say stick with PSTs at your peril.

OK, I’ll ditch the PSTs. How do I start?

There are several commercial tools available for discovering and migrating PSTs (Microsoft, naturally, offers its own solution for migrating to Office 365), but these are only generally suitable for the simplest situations. When we were developing our solution, FlightDeck, we chose to address the most difficult scenarios (drawing on our extensive experience in the field).

FlightDeck distinguishes between power users and others, and makes appropriate checks for rogue PSTs according to their profiles. It flags up exceptions for manual intervention so that, for example, you only migrate the essential parts of that users 100GB worth of PST files (and yes, that’s not a typo – individual users do have this amount of data, frequently!!) Incidentally, our associated ingestion technology dramatically shrinks the size of data that actually needs to be moved, so that physical migration takes place much faster.

With ‘disconnected’ PST files, there’s frequently no obvious way of knowing what PST is associated with which user. Some vendors use a guessing process to reconcile this, but the latest version of FlightDeck ups the game by using six factors. It looks at PST location, who created the PST, attachment of other PSTs, cross-checks the user security information, inspects the content (who most commonly sent and received from that mailbox), and automatically assesses the probable user against the expected user.

FlightDeck’s a clever tool. It needs to be when you’re trying to migrate thousands of PSTs at the same time.

Track down your PSTs now
If you have PSTs you are vulnerable. If you don’t know how many might be out there we can help. Learn more about our PST to Office 365 migration services  and we’ll track down the true extent of wild PSTs in your organization. The results will surprise you!