The last few weeks we have seen reports of a massive hack into the Sony Pictures Entertainment system where the hackers seems to have seized an immense amount of confidential internal documents about everyone who was even remotely connected to the company.
On November 24 the world found out that Sony Pictures Entertainment was hacked and had disabled its entire corporate network, including locations that spanned Culver City, New York, and overseas.
This breach has very few analogues in history, outside of the Snowden documents, to any other type of breach on record. The combined corporate intellectual property, financial and legal information, contact databases and health records, passwords and encryption keys for Sony Pictures Entertainment can’t be compared to a breach of a retailer’s email or credit card database.
But in the case of Sony’s compromise, individual files can be spreadsheets with multiple records each. Some of the 38 million (known) files exfiltrated in this carefully planned attack are entire databases.
This is comparative to source code being leaked. Unpublished scripts for movies, contract negotiations, NDA’s (thousands are listed), secret terms for payment schemes, the very information Sony uses to keep its entire company relevant, are in the stolen files.
The benefits to Sony Pictures Entertainment competitors — Universal, Warner, Disney — in terms of competitive intel, is priceless.
The group claiming responsibility for this calls itself #GOP (Guardians of Peace). What is strange is that the initial notice that the company had been hacked came from an ominous message that appeared on the screen when on November 24, 2014 any employee logged on to the company servers, threatening to reveal everything unless their demands were met. But the demands were not specified, at least publicly, though it is possible that they were communicated to the top levels of Sony.
Later, massive amounts of data were released, including films that had been recently released or were about to be released, and again it was not clear why that was done since doing so eliminated the leverage that original threat had. Of course, it is possible that there is even more sensitive information that has yet to be released. From what I have read, Sony’s internal controls to protect its data seem to have been woefully inadequate, making this hack easier than it should have been.
The first people to be suspected in such hacks are disgruntled insiders since they are the ones who, if somewhat savvy, can do it most easily (think Edward Snowden) and usually have motive. But there have been more exotic theories such as that it was the work of anonymous hacking collectives that have either a political anti-corporate agenda or are simply trying to get money by blackmail or to the most bizarre theory that it was done by the North Korean government in retaliation for Sony releasing the comedy film The Interview about US journalists working with US intelligence agencies to kill Kim Jong Un.
The breaches can be classified in four categories. The worst is the revelation of people’s private information that harms them and benefits no one.
The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It’s an email about trying to get pregnant. It’s shit-talking coworkers behind their backs, and people’s credit card log-ins. It’s literally thousands of Social Security numbers laid bare. It’s even the harmless, mundane, trivial stuff that makes up any day’s email load that suddenly feels ugly and raw out in the open, a digital Babadook brought to life by a scorched earth cyberattack.
These are people who did nothing wrong. They didn’t click on phishing links, or use dumb passwords (or even if they did, they didn’t cause this). They just showed up. They sent the same banal workplace emails you send every day, some personal, some not, some thoughtful, some dumb. Even if they didn’t have the expectation of full privacy, at most they may have assumed that an IT creeper might flip through their inbox, or that it was being crunched in an NSA server somewhere. For better or worse, we’ve become inured to small, anonymous violations. What happened to Sony Pictures employees, though, is public. And it is total.
At another level are those things that are fodder for film gossip and trivia such as the aliases film stars use when checking into hotels and the like.
Yet another level is the information that Sony’s rivals obtain about the company strategic plans.
And yet another level of information s what the documents reveal about the state of the the film industry and how it operates. Reader kyoseki works in the VFX industry that has been in a great deal of turmoil because of the way that the major studios treat the special effects companies, sending them around the world in pursuit of tax subsidies and firing their top talent in order to cut costs, and he tells me that these emails confirms their worst fears, that this practice has resulted in the loss of the major talent and a reluctance of those people to work with Sony.
But this still brings us back to the central question that still, as far as I know, remains unanswered: Who did the Sony hack and why?