To be more precise, this kind of attack would rely on business hacking, rather than computer hacking. Other attacks, some potentially as massive as to turn Google into the worst search engine, are described below.
The Sony attack
I believe that such an attack could be accomplished by an insider (disgruntled employee, or employee paid by an external organization), and benefiting from poor IT security at Sony. Especially the email part, consisting of cross-emailing every employee of interest (including executives) with scary messages, or messages aimed at generating massive lawsuits and firings.
Indeed, in many companies, it is easy for some employees to download the email database (or parts of it), the CRM database (clients with email addresses and associated internal contacts), or the hierarchical database of employees (who report to whom, email addresses, and job titles). Once this database is acquired by a rogue employee or consultant, it can be sold or used for many nefarious purposes: announcing (fake) layoffs, sending porn to executives with cc to external parties such as clients, exchange of racial insults between executives and clients (using spoofed email addresses) followed by fake apologies, and the list goes on. Before the culprit gets caught, the damage is done, billions of dollars have evaporated, and reputation is destroyed.
So how to protect your company?
Never hire a guy that looks too smart. Never hire a guy like me who posts articles like this one. Identify a dangerous employee as early as possible (using predictive analytics), and use soft-firing to get rid of him. Make it impossible for anyone (employee or contractor or client) to download vast amounts of HR information. Beware that some rogue employees will accumulate the dangerous data very slowly, over a period of months. Detect and block spoofed email (originating from an IP address not in your white-list authorized to send internal email), as well as employees having infected computers (that can be used to send fake email that appear legitimate - not spoofed).
The Sony attack is the tip of the Iceberg
Plenty of silent, smaller attacks, happen daily as part of normal business activities. These attacks are aimed at killing business competitors. Sometimes these attacks are a reaction to what is perceived as unfair treatments by big companies or government. Combined together, these attacks result in far more damages than the Sony or Target hacks. These attacks might not even be illegal, unlike the Sony attack.
Examples of silent attacks
A digital company got banned or penalized on Google, and it feels as unfair punishing by the victim. Typically, the wrong punishing is the result of an algorithm defect. Algorithms have no feelings, and in the case of a big company like Google, there's nothing you can do about it: no customer support, no phone number to call, and anyway they deliver free traffic to your website. So they can pull the plug at any time for no reason, and make you loose all your revenue (too bad if you rely entirely on Google organic traffic for your revenue, not a smart business strategy). Occasionally, Google will have to face a tech-savvy victim that can and will kill all other competitors on Google, as a last resort to recoup losses and regain market share. There are techniques to succeed in such attacks, such as
You can go one level further and over time, corrupt massive amounts of Google search results. Especially if you are a kid (maybe one rejected after a Google job interview), and want to prove to the world that you are one of the greatest data scientists. You would need to target the top 100,000 keywords with the right amount of fake but well statistically distributed traffic. How to find these keywords? On Google itself, or just ask me. Such an attack could be called a data science attack. It does not involve hacking into anyone's server, but algorithm intelligence and external data collection and processing.
Other companies such as Amazon or Yelp, extensively relying on user reviews, have made a lot of businesses very unhappy, due to undetected fake reviews. Rather than fixing their faulty algorithms, their policy is to further attack those few tech-savvy companies that they inadvertently (but unsuccessfully) tried to kill, once these little guys retaliate. These counter-attacks (e.g. by Amazon) are laughable, and make you think that they underestimate their enemies. I will provide an example in a future article. In the case of Amazon, attacks targeted at authors and publishers are starting to backfire, as articles against Amazon are getting a lot of traction recently.
Note that all these companies have stellar data scientists and other great employees. The problem is with some top decision makers, still acting as if we small people (their customers) are idiots that can easily be crushed on demand. That might be true for 99.999% of their users, but once you hit the 0.001% resilient ones - which will eventually happen when you make thousands of users furious every day - that's when you get an attack like the Sony one.
So even if you - the big company - are swamped by millions of customer messages every week, and can only provide automated answers, at least use an NLP-based algorithm to detect potential big trouble-makers. Not just automatically browsing what people write on your blog or to your mailboxes, but also on social networks, about your company. Follow thought leaders, they might be the first ones to detect a new trend, or new risks. Always be nice. Even when your algorithms randomly turn bad and mean against someone. Listen to what people say about your company, but learn how to filter out the vast amount of noise from these conversations, using both algorithms and analyses performed by human beings. The most dangerous hackers might be those who never say anything, so having well-behaved, human-friendly (as opposed to computer-friendly) algorithms to deal with your users, is always the best strategy.
Note: This type of attack could also be used to manipulate the stock price of the target company, especially to short the stock before the attack and buy back after the collapse, to finance the operations of hacking or terrorist groups.