Yesterday, I reported on a spreadsheet apparently taken from Sony Pictures Entertainment, one of the largest and most powerful studios in Hollywood, by a group of hackers calling themselves Guardians of Peace. The document, which listed the names, titles, and salaries of more than 6,000 Sony Pictures employees including senior executives (and may have revealed a gender pay discrepancy), appears to be part of an enormous data breach that hit the studio last week, forcing them to shutter computer systems, move employees to paper and pencils, and call in the FBI and private security researchers to investigate the hack.
I spent most of last night combing through some of the other documents from the hack – there were 26 large archives linked to in the original public Pastebin file, some of which have since been pulled offline. And the breadth and depth of the information I found is just insane.
Assuming the contents of the leak can be verified – so far, they haven’t been, and Sony Pictures hasn’t responded to numerous requests for comment – the Sony Pictures hack appears to be of a completely different magnitude than the normal DDOS attacks, social media hijackings, and other data breaches we’ve grown accustomed to. In fact, it could be one of the largest corporate hacks in history.
Partly, this is because Sony Pictures doesn’t appear to have made things very hard for the hackers. Here are just a few of the revelations I found in the leaked archives – most in normal, unencrypted Excel and Word files, labeled as plain as day:
A spreadsheet listing the names, birth dates, and social security numbers of 3,803 Sony Pictures employees, including all of the company’s top executives. (Happy birthday, Wendy!)
A spreadsheet listing the division-by-division Sony Pictures payroll, as well as breaking down costs for raises and other pay changes. (The company’s total salaries, as of May, were listed at $454,224,070.)
A spreadsheet listing Sony Pictures employees who were fired or laid off in 2014 as part of the company’s reorganization, along with the reasons for their termination. Also on this spreadsheet: estimates of “TOTAL COST TO SEVER,” or the amount Sony Pictures calculated it had to pay to terminate each person’s employment, including severance pay, COBRA health benefits, and outplacement costs. Here’s a sample, with names redacted for privacy:
A cheesy script for an in-house Sony Pictures recruiting video featuring HR executive George Rose and Sony Entertainment CEO Michael Lynton called, appropriately, “The Greatest Recruiting Video Ever.” Someone has edited the script to emphasize the importance of recruiting. (“It would be ideal to have Lynton state that talent acquisition is the single most important project,” one note in red reads.)
Detailed performance reviews for hundreds of Sony Pictures employees. Comments left on individual reviews included sentiments like “[Name redacted] is friendly, open and a fantastic team player,” “Key performer,” and “Flight risk if contributions are not recognised.”
A spreadsheet and chart comparing Sony Pictures’ employee pay to that of its competitors. (The metric used is “market posture,” which measures each level of employee pay compared to the market median for that level.) According to the chart, SPE pays its level 10 employees 113.1% of the median, but only pays its level 1 employees 92.2% of the median.
And on and on it goes. So far, most of the documents I’ve seen concern Sony Pictures’ corporate functions, not individual films or TV projects the studio is working on. But it bears repeating: if these documents are legitimate, their public release represents an unthinkably painful breach of the private data of Sony Pictures employees, and a remarkably lax approach to data security on the company’s part. Even relatively simple encryption or password-protection measures might have kept this data out of hackers’ hands.
Sony Pictures is scrambling to deal with the consequences of the hack. The company has reportedly hired Mandiant, the same security research firm that helped the New York Times deal with an apparent Chinese hack last year. Re/code reported last week that Sony is investigating possible North Korean involvement in the attack. If North Korea is indeed behind the attack, many are speculating it might be an act of retribution for The Interview, a soon-to-be-released Sony comedy starring Seth Rogen that offended North Korean authorities.
If that’s true, then – given the costs of cleaning up one of the largest security messes in Hollywood history – The Interview may turn out to be one of the most expensive movies Sony Pictures has ever made.