I've spent the last few days poring over the nearly 40GB of data hacked and leaked from Sony Pictures Entertainment's (SPE) internal computer systems. The group responsible for the hack, which calls itself Guardians of Peace (GOP), claims there is more to come.
The rationale for the hack is still unclear; North Korea is a suspect and the FBI is actively involved.
As we continue to cover this case, I think it's important to put into perspective just how disastrous this attack is.
It's not hyperbole to say that this is probably the worst corporate hack in history.
It's not hyperbole to say that this is probably the worst corporate hack in history. As I've written in the past, every person at SPE needs to operate with the understanding that every piece of data stored on the company's internal network has been compromised. Everything.
One of the struggles with this story is trying to frame the nature of just how much was hacked in a context that is relatable. It's easy to understand the cost of leaked films for a studio, but the information within the documents is so much more than that.
Sony hasn't just lost passwords; it's revealed to the world its entire (horrible) password strategy. Precise dollar amounts in what used to be confidential contracts are now known by everyone. Embarrassing incidents on employee files that may have been forgotten now have a fresh — and public — lease on life.
Here are just some of the most compromising pieces of information that we've seen or learned from the leak.
1. Sony will need to change ALL the passwords
Some of the information leaked Wednesday included a veritable treasure trove of password databases, security certificates, MAC addresses for workstations and servers and the usernames of every person with SUDO access. It also included password file upon password file for virtually every system within the SPE ecosystem.
We know Sony is working with the security firm FireEye to deal with fallout from the attack but we hope that the company is aware that at this point, every password has to be changed, everywhere.
In some of the documents, some of Sony's building security systems are inventoried as well.
This repercussions of this attack will reverberate for months — probably years — because it seems that virtually every aspect of Sony's internal systems has been compromised.
2. Seinfeld still makes Sony a ton of money
The television arm of SPE makes a lot of its money from syndication deals to local affiliates.
One of the biggest shows in Sony's vast back catalog of shows is Seinfeld. For a show about nothing, it still continues to pull in big bucks more than 16 years after going off the air.
According to documents Mashable reviewed, Sony's current three-year syndication deal for over 100 U.S. affiliates will net the company $18.5 million. New York City pays the most for Seinfeld reruns, with WPIX paying $5.46 million for its current three-year deal.
Keep in mind, this is just for local affiliates — it doesn't include the deals Sony has with TBS for Seinfeld.
3. Seth Rogen and James Franco got decent paydays from The Interview
Both actors were paid $6.5 million for The Interview, the upcoming comedy about journalists instructed by the CIA to assassinate Kim Jong-un. Rogen got additional fees for his work on the script.
The film, which opens in theaters on Dec. 25, is thought by some to be at the center of the attacks. The theory is that the North Koreans (or hacktivists who sympathize with them) are unhappy with the film and hacked Sony to retaliate.
It's still unclear if North Korea is involved with the hack in any way, but it does seem more likely that the film is related to the hacks.
The full budget for the film, which clocks in at $44 million for above- and below-the-line costs, was included in a second cache of files released to the public Wednesday. It was inside a folder labeled "Passwords," which suggests it was put there specifically to be leaked.
Most of the data the GOP group has released seems to be in its original hierarchical format, but some of the information released Wednesday, including computer server and workstation inventories as well as passwords and The Interview budget, were released in a way that suggests it was culled together on purpose.
4. An executive took romantic trips with a subordinate on the company's dime ... and wasn't fired
A number of private HR documents were included in the leak, including a folder titled "Employee Issues."
This included disciplinary letters, performance improvement agreements and termination notices.
A letter to one employee indicated that the employee had "violated the company's electronic communication policy by sending explicit e-mails to other SPE employees." The employee, who was stated to be "in a leadership role," was told that they were a valued employee but that "should this type of incident happens again, you may be subject to additional disciplinary action up to and including termination."
In addition, an executive vice president on the business side of SPE was disciplined in June 2012 for having a romantic relationship with a subordinate and taking business trips with that subordinate:
5. The pilot script for Vince Gilligan's Battle Creek is public
A number of pilot scripts for the 2014 TV season were included in the leaks, but the most newsworthy was for the Vince Gilligan/David Shore drama Battle Creek.
6. Sony Pictures Chairman Amy Pascal makes $12 million a year
As detailed in-depth by Kevin Roose at Fusion, thousands of Sony Pictures employee salaries were released.
Roose's reporting suggests that there might be a gender pay gap in some departments (with women making less than men at the same title), but based on our investigation into these documents, we're not sure we can come to the same conclusion.
That's partially because like most large companies, Sony has several different categories of compensation, which makes direct comparisons difficult without lots of time to study the documents.
Moreover, Sony ranks employees in different pay categories and has compensation ranges for those specific groups. In the time we've had to look at the documents, it doesn't seem obvious that women in the same employee category as male colleagues are making demonstrably different salaries.
The documents do seem to suggest, however, that much like the tech industry, Sony has fewer women and minorities in high-ranking leadership positions.
7. Information security within Sony was atrocious
We've said this before, but it bears repeating: this attack was significantly worsened because of the poor security protocols in place by virtually every level of employee at Sony.
Kashmir Hill at Fusion spoke with former Sony employees who attested to the poor nature of infosec within Sony.
The company roster has just 11 employees tasked with information security (out of 7,000 total employees), not counting any outside contractors that might not be readily accounted for.
Hill found a 2007 interview in CIO Magazine with Sony's security chief Jason Spaltro. Spaltro — who still runs information security for Sony — brags about his policy of "good-enough" compliance. In fact, Spaltro was able to convince an auditor not to write up the poor passwords from Sony employees as a Sarbanes-Oxley violation.
As a result, in 2014, users were still able to use passwords such as "skateboard94" for Outlook and Novell access.
The most horrifying aspect of looking through the leaked documents isn't just its sheer breadth, it is how much of it is accessible without any encryption or password protection. The Wall Street Journal even reported Thursday night that 47,000 social security numbers, including those of famous actors, were now publicly available. In addition, bank statements, tax forms, HIPPA and 401K information — not to mention the many, many business documents — can all be viewed by anyone with a copy of a modern office suite or text editor.
Have something to add to this story? Share it in the comments.