The wave of cyberattacks of large retailers, from Target to Home Depot, over the past year have made hacks feel like a fact of life for many consumers. But the alleged breach at Sony Pictures last week hints at a future where such attacks are more invasive than a stolen credit card: Documents allegedly leaked include Social Security numbers, salary information and even employee performance reviews.
The leaked documents, first reported on by Kevin Roose at Fusion, have not yet been verified by Sony. But a memo sent to employees by Sony Pictures executives obtained by the Hollywood Reporter suggests that cyberattackers had access to huge amounts of the company’s internal systems. (Sony Pictures did not respond to a request for comment for this story.)
“It is now apparent that a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents,” the memo from Sony Pictures Entertainment chiefs Michael Lynton and Amy Pascal reportedly read. “While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession.”
The alleged document leak came a week after Sony employees reportedly were met with computers displaying images of a neon red skull and a message proclaiming the company had been hacked by “G.O.P” — which stands for “Guardians of Peace.” Pirated versions of several films, including some which have yet to be released, were also leaked online over the weekend.
Investigators believe North Korea launched the attack in apparent retaliation for a upcoming comedy film centered on a tabloid talk show host recruited to assassinate North Korean dictator Kim Jong-un.
“If it’s true that North Korea was behind it, it almost seems to be taking a tool from the methods of terrorists who try to hurt innocent civilians to attack a country or a company,” said Jules Polonetsky, executive director of the Future of Privacy Forum. “They’ve apparently gone to great lengths to personally hurt individuals who are working at the company to assert displeasure at the company.”
The attack appears politically motivated, said Chris Hoofnagle, the director of the Berkeley Center for Law & Technology’s information privacy programs. “This attack looks more like a crime meant to harm the victim than to extract some economic benefit, which makes it very different from the card breaches and the like,” he said.
In some ways, Hoofnagle said, Sony Pictures employees are experiencing what it’s like to be targeted by the hacktivist group Anonymous — whose tactics often include subjecting the private lives of members of an institution to public scrutiny.
Among the documents that Roose reported were leaked by the hackers were detailed performance reviews for hundreds of employees. One spreadsheet allegedly contained the names, birth dates, and Social Security numbers of more than 3,800 employees while another listed all employees who were fired or laid off in 2013 and the reasons they were let go. Buzzfeed reports that the data dump included “employee criminal background checks, salary negotiations, and doctors’ letters explaining the medical rationale for leaves of absence.”
“If you think about the long-term relationships you have with employers, they obtain all sorts of personal information that employees expect to remain private,” said Hoofnagle. “You can just imagine in personnel files there being pretty uncomfortable things — like confidential evaluations about employees or peer evaluations.”
According to the memo obtained by the Hollywood Reporter, the company will be providing identify theft protection monitoring services for its employees, but experts say that may not be enough. “Providing ID theft helps address one particular hurt, but there’s potential damage that’s being done here due to the exposure of private facts that’s hard to provide a remedy for,” said Polonetsky from the Future of Privacy Forum.
The nature of the Sony Pictures hack could represent a turning point in how fallout of cyberattacks are measured. “People like to steal corporate information, but to attack employees indiscriminately and widely really opens up a new front in corporate cyberwarfare or espionage,” Polonetsky said.
Andrea Peterson covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government.
