In the last two weeks, Sony Pictures has been subjected to the most thorough corporate hacking in recent memory. Internal files with a wealth of confidential information—movie budgets, employees’ social security numbers, celebs’ contact information, executives’ emails, and more—have been posted to the Internet. And it doesn’t seem to be over yet, with the hackers promising to dump more data in the days ahead.
Maybe you haven’t been following the Sony Pictures hack drama all that closely. Maybe you’ve been savoring every gossipy e-mail and script leak. Either way, a primer on one of the most complex corporate scandals in years might be useful. And we’re here to help.
So, what happened?
Sony Pictures–the powerful Hollywood studio responsible for hits like Moneyball and the Spider-Man franchise–got hacked.
Like the time my brother stole my Facebook password and used it to sign up me up for a Christian Mingle account?
Worse than that.
I dunno, that was pretty bad.
This was way worse. Along with lots of leaked information about Sony Pictures salaries and bonuses and stuff, financial documents were leaked showing the terms of various confidential business deals Sony Pictures has made over the years, and the budgets and box-office results of lots of recent movies. Thousands of employees had their Social Security numbers and medical information made public.
What’s the most embarrassing material that’s been exposed?
The hackers got hold of the e-mail inboxes of several Sony Pictures executives, which included messages from mega-director Scott Rudin calling Angelina Jolie a “minimally talented spoiled brat,” and e-mails between Rudin and Sony Pictures chief Amy Pascal speculating about whether President Obama liked Django Unchained or 12 Years a Slave better. (Because he’s black, you see.) Both Pascal and Rudin have had to apologize publicly.
Okay, so how did this happen?
No one really knows yet. The FBI and private security researchers FireEye are still investigating the hack. What we do know is that the hackers used a piece of malware called “Destover” to infiltrate Sony Pictures’ systems, and ferret out many gigabytes of data. The hackers are releasing this data bit-by-bit, using sites like Pastebin and torrent networks.
These hackers – who are they?
We don’t know that, either. All we know is that they’re calling themselves “GOP.”
The Republican Party is behind this? I knew that Boehner guy was shady.
Nope, it stands for “Guardians of Peace.” They have stated that they intend to destroy Sony Pictures Entertainment, and the password protection for all the documents they’ve leaked is “diespe123,” a reference to the abbreviation of the pictures’ unit (SPE). They’ve been taunting Sony Pictures executives in e-mails announcing the leaks, saying things like, “If continued wrongdoings of the executives of SPE drive us to make an unwanted decision, only SPE should be blamed.”
I heard something about North Korea and a Seth Rogen movie?
Yes. One theory is that North Korean agents carried out the hack as retribution for “The Interview,” an upcoming Seth Rogen/James Franco comedy about a pair of Americans who is tasked with assassinating the leader of North Korea. North Korea was furious about the movie when it was announced, and hacked e-mails show that Sony’s upper management was worried about it, too. Some security researchers say that the Sony Pictures hack bears some similarities to previous North Korean cyberattacks.
But nobody knows for sure. It could be that the hackers were simply a group of miscreants out to extort a powerful Hollywood studio, who glommed onto the North Korea narrative after the media began speculating. (This e-mail sent to Sony execs days before the hack, for example, makes no mention of “The Interview,” only a demand for money.) And the FBI hasn’t found a concrete link to North Korea yet, though they haven’t ruled it out, either.
Could Sony Pictures have prevented the hack?
Kevin Mandia, the head of the cybersecurity firm that Sony Pictures has hired to deal with hack clean-up told the company’s CEO in a memo that no company “could have been fully prepared” for the cyber-ninjas that came at Sony Pictures. (Mandia, of course, is currently being paid by Sony Pictures and has little incentive to say something like, “You guys really f***ed up.”)
As we still don’t know how the hack happened, it’s hard to say whether Sony Pictures could have prevented it. What we do know is that Sony Pictures' information security team was small, top-heavy, and led by a man who, in a 2007 interview, didn’t seem to fully appreciate the damage a breach could do. What also seems evident is that once inside the company’s computer network, the hackers roamed freely and collected a massive amount of data. Even if Sony Pictures had a strong wall to keep attackers out, there were no locks on the doors inside the castle once they got in. That can be solved by making sure that sensitive documents are locked down with encryption and passwords, and with network infrastructure that doesn’t allow digital wandering through the system. It’s also surprising that the major exfiltration of data off of the Sony Pictures network set off no alarm bells.
Sony Pictures may not have been able to prevent attackers from getting in, but they could have prevented them from getting as much data as they got.
How do employees of Sony Pictures feel about getting hacked? I'd be pretty pissed.
Many of them are. What Sony Pictures could have done after the hack – and what many current and former employees have told us it should have done – is work as quickly as possible to understand the scope of the hack, prevent further breaches, and communicate with employees whose data was compromised. Several current and former Sony Pictures employees told us that management had been unresponsive to their calls and e-mails, and told them about the hack only in short, carefully worded mass memos sent to the entire company.
“State breach notification laws prescribe various methods of communicating with affected individuals,” says Lisa Sotto, a privacy and cybersecurity lawyer at Hunton & Williams. “That said, where employees are impacted, it may well be worth going the extra mile to provide additional communications and information. These are your own people – so we want to make sure we take good care of them if they are affected by a data breach.”
The only recompense Sony Pictures has offered to those whose data was breached was a year of free credit monitoring, similar to the offer made to Target and Home Depot customers in the wake of those companies’ data breaches. (Former employees whose information was included in the leak have not yet received the credit monitoring offer.)
What’s the media’s role in all of this?
From the beginning, the Sony Pictures hackers clearly saw journalists as part of their toolkit. Every few days, hackers would release new troves of data onto the Internet, and writers and researchers for major media outlets would interpret, analyze, and extract newsworthy nuggets from the leaked files. The hackers encouraged this kind of feeding frenzy, alerting the media whenever they had put another cache of documents online.
Major leaks of documents that people, companies and governments considered private are becoming increasingly common. The legal questions surrounding these incidents vary case-by case. But in every case, journalists have to decide what’s worthy of holding up to public scrutiny – such as pay equity at a major Hollywood studio, leaked here – and what is not, such as stolen the intimate photos of the celebrities that star in Hollywood movies that were posted earlier this year.
This hack sounds pretty terrible. Is anyone happy about it?
Arguably, it’s good to have more information about the opaque practices of major Hollywood studios. Right now, the visual effects design community is buzzing about the leak of documents showing a confidential report detailing pay levels throughout their industry – a report that will, for the first time, give VFX designers the upper hand in negotiations with their managers. (And then there’s the marketing team behind “The Interview,” which has gotten a lot of free publicity out of the events of the last few weeks.)
More generally, transparency is a double-edged sword – usually bad for managers, usually good for employees (except when it comes to their Social Security numbers). The entire superstructure of business would collapse if this kind of transparency existed everywhere, but the drawing back of the curtain occasionally can be beneficial for society. As Felix Salmon wrote about the male-and-white-dominated list of Sony’s highest paid employees becoming public, “only with the sunlight of publicity are lists like this one ever likely to change.”
Have any other companies been hurt by these GOP people?
Yes. In fact, one of the most remarkable things about the Sony Pictures hack is how quickly it spread beyond Sony’s borders. We’ve found information relating to the internal affairs and business strategies of dozens of Fortune 500 businesses, including Apple, Amazon, and Merck. We reported on, among other things, a set of 2005 pay data from accounting giant Deloitte, which showed the salaries of more than 30,000 Deloitte employees as part of a government-encouraged test for pay discrimination.
When a company gets hacked as Sony Pictures did, it doesn’t harm that company alone. It also exposes a whole range of vendors and partners, each of which may keep data on the hacked company’s servers.
That is kind of terrifying!
Yep, it is. The thing about the era of networked data is that it can foil even those who take the best precautions. Your company may be an industry leader in information security, with all the best encryption methods applied to the data on its servers, but if one of your co-workers takes some files to a new job and that company is hacked, you could be exposed anyway. Likewise, an individual Sony Pictures employee might have taken pains to protect her personal health, salary, and employment information, only to have it exposed by a hack outside her control.
So, the lesson of the Sony Pictures hack is “delete your e-mail account and join the Amish,” right?
Well, not exactly. It’s unrealistic to expect normal people to apply sophisticated encryption to all their personal information, or to drop off the grid altogether. But information security needs to be part of employee training at every company. No one at an organization should have a “passwords” document on their computer containing all of their passwords. Employees that work with healthcare information, social security numbers or even files that contain employee gripes about your company should be taught to put passwords on those documents, or even better, how to encrypt them.
But I do have a password! Mine is “iloveonedirec”–
We’re going to stop you there. Just remember: you have to be vigilant about protecting your data, and you also have to hold other data-holders accountable for their security practices. More and more information about us is being captured and digitized and put in places where it could potentially be hacked. We have to keep putting pressure on everyone, from Uber to Facebook to our employers, to treat our data with care.