Advertisement

Sony Hack Exposed Personal Data of Hollywood Stars

image

The hack at Sony Pictures Entertainment revealed far more personal information than previously believed, including the Social Security numbers of more than 47,000 current and former employees along with Hollywood celebrities like Sylvester Stallone.

An analysis of 33,000 Sony documents by data-security firm Identity Finder LLC found personal data, including salaries and home addresses, posted online for people who stopped working at Sony Pictures as far back as 2000 and one who started in 1955.

- Sony hackers reveal Seth Rogen pay
Wahlberg seeks pardon
Cumberbatch confirmed for Doctor Strange

The hack and subsequent posting by a group calling itself Guardians of Peace illustrate the risks large companies like Sony take by amassing years of digital records on employees and customers on machines connected to the Internet. Much of the data analyzed by Identity Finder was stored in Microsoft Excel files without password protection.

The documents, reviewed by The Wall Street Journal, also contain the Social Security numbers or taxpayer-identification numbers of thousands of freelancers, including actors who appeared in movies and TV shows produced by the Sony Corp.-owned studio, one of Hollywood’s largest. Among them are Mr. Stallone, director Judd Apatow and Australian actress Rebel Wilson. Representatives for the three stars declined to comment.

The personal data can be found alongside contracts and other sensitive documents in massive files currently being traded on file-sharing networks such as Bit Torrent.

Investigators, including teams from Sony, the Federal Bureau of Investigation and computer-security firm FireEye Inc., say the hackers used methods similar to ones previously attributed to North Korea. The malware was made on a machine with Korean language settings during Korean peninsula working hours and appears very similar to a tool used last year against South Korean banks and television stations, three people briefed on the investigation said.

On Thursday, Russian cybersecurity company Kaspersky Lab released a report noting the similarities between the Sony hack and last year’s attacks on South Korea, though it didn’t identify who was behind the incident. The researcher, Kurt Baumgartner, noted cyberattacks others have linked to North Korea are frequently carried about by made-up hacker groups no security researchers have heard of before, much like the Sony breach.

A spokesman for the Pyongyang government has expressed outrage over “The Interview,” a Sony-produced Seth Rogen comedy set for release Dec. 25 that mocks North Korean leader Kim Jong-Un.

Sony Pictures hasn’t released many specifics to the public or employees about the scope of the breach. In an email to staffers Tuesday, Chief Executive Michael Lynton and co-chairman Amy Pascal called the theft of documents and their subsequent release online “malicious criminal acts.” The studio is offering one year of free credit monitoring and fraud protection to current and former employees.

The studio’s lawyers are also trying to force websites to remove the data or the links to it. As with pirated movies and music, however, once data becomes available on file-sharing networks, it is virtually impossible to remove.

Current and former Sony employees have said they are infuriated at the leak of personal information and scared at what else may appear online. Some also questioned whether one year of fraud protection will be adequate as their Social Security numbers will presumably live on the Internet for many years.

A Sony spokesman declined to comment.

United Artists/Everett Collection Sylvester Stallone was a victim.

The breach at Sony has gained unusual attention in part because it has exposed so many details on the inner workings—salaries, healthcare records, office call lists—of employees at a famous company in a prominent industry.

Cybersecurity experts could recall no other breach where so much data on a high-profile company was made public in one data dump. Investigators say hackers often have access to large troves of data once they penetrate a company’s digital perimeter. But the hackers may be seeking only one type of data, such as credit-card numbers, or don’t publish everything they have stolen.

Cyberattacks linked to the Chinese military are known to suck up large amounts of data, even if the hackers discard much of it later. A recent indictment of three Chinese nationals referred to a 1,467-page list of files at Boeing Co. to which the hackers had access.

In the Sony case, one person briefed on the investigation said the hackers sought a “shock and awe” effect.

Many documents with personal information appear to be from the human-resources department. There aren’t clear rules on how companies are supposed to safeguard employee information. The Journal contacted several current and former employees listed in the Sony databases and verified their listed details.

Many of the documents contain duplicative information. Files in the trove include more than 1.1 million Social Security numbers, according to Identity Finder, most of which are repeats.

Mr. Lynton’s Social Security number is in 93 different non-password-protected documents, said Identity Finder CEO Todd Feinman. Ms. Pascal’s can be found 104 separate times. “This data is not just in one file; it’s all over the place,” he added.

Mr. Feinman also said that companies appear more focused on preventing viruses from infecting their networks than on controlling the availability of sensitive information on computers. That has begun to change following leaks from former National Security Agency contractor Edward Snowden and data breaches at Target Corp. and other retailers.

“The No. 1 reason this happens is because companies have so much historical data and they don’t even know where it is,” Mr. Feinman said. “You’re just making hackers’ lives so much easier.”

Among other proprietary information leaked online by the hackers are the budget of “The Interview,” contracts for sales of repeat episodes of “Seinfeld,” and employee-feedback forms, according to published reports. Five Sony movies, four of which haven’t yet been released in theaters, have also been pirated.

In potentially difficult timing, Sony Pictures was scheduled to have its annual holiday party for employees at its Los Angeles area lot Thursday night.

Avengers 2 Reshoots
Star Wars 7 Trailer Explained
Gyllenhaal Goes Beefcake

Image credit: The Verge