After sifting through almost 40GB of leaked internal data, one thing is clear: Sony Pictures appears to have suffered the most embarrassing and all-encompassing hack of internal corporate data ever made public.
The data dump, which was reviewed extensively by BuzzFeed News, includes employee criminal background checks, salary negotiations, and doctors' letters explaining the medical rationale for leaves of absence. There are spreadsheets containing the salaries of 6,800 global employees, along with Social Security numbers for 3,500 U.S. staff. And there is extensive documentation of the company's operations, ranging from the script for an unreleased pilot written by Breaking Bad creator Vince Gilligan to the results of sales meetings with local TV executives.
The documents made public this weekend, covering the company's human resources, sales, and marketing teams, among others, are just a fraction of approximately 100TB of data the hackers claim to have taken from Sony. They say it will all be made freely available online, once they figure out how to distribute such an enormous amount of information.
A Sony Pictures spokesperson declined to comment on the specifics of the data released, but shared a brief statement saying the company "continues to work through issues related to what was clearly a cyber attack last week." Sony is "working closely with law enforcement officials to investigate the matter," it said.
The hackers, who call themselves the Guardians of Peace, took credit for the attack this weekend, emailing members of the media with links to download dozens of compressed files, each containing vast troves of data stolen from the servers of Sony Pictures. Earlier, the hackers leaked high-quality video files of five unreleased Sony films. The box office impact of that release, analysts told BuzzFeed News, probably won't be that bad. But the broader cost to Sony of this new round of leaks — to its reputation, its employee morale, and its commercial standing — seems impossible to estimate.
In a memo to employees, obtained by The Hollywood Reporter, Sony Pictures Entertainment chiefs Michael Lynton and Amy Pascal pulled no punches.
"While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession," the memo said. "While we would hope that common decency might prevent disclosure, we of course cannot assume that."
The leak is particularly embarrassing because it comes just three and a half years after Sony and its gaming customers suffered through a three-week-long hacking nightmare that brought the company's Playstation gaming networks offline and compromised the personal and financial information of up to 25 million customers (though the company did not confirm how many accounts had financial information stolen).
In the days after the April 2011 breach, Sony enlisted three independent computer security and forensic consulting firms to assess its security infrastructure and identify the culprit of the hack, according to a letter from Sony to members of Congress. In the letter, Sony defended its decision to wait five days to admit its security had been compromised and called on the government to help make the internet safer. "We ask the Committee to consider as well the connection between data security and the cybercrimes and cyber terrorism that threaten to make the Internet unsafe for consumers and commerce," the letter read.
Years after that hack, Sony Pictures still seems to have a long way to go. One of the files leaked this weekend was a Word document titled "Passwords" that contained an executive's computer, LotusNotes, and American Express usernames and passwords, as well as Amex credit card numbers, expiration dates, and four-digit security codes.
The roughly 40GB of company information now available online sat on company servers without encryption, with a vast majority of the sensitive personal and financial files containing no password protection. Currently, the stolen data trove is available to download, potentially placing the information in the hands of any hacker, scammer, criminal, media organization, or curious citizen who knows their way around a torrent file.
The release of such sensitive data could easily eclipse the leaking of five unreleased films, in terms of its impact on the company's bottom line. "Financially it will cost more to clean up this mess than what they would lose at the box office," said a movie industry source who requested anonymity because of ties to Sony. "Firewalls, consultants, all that stuff is expensive."
Sony Pictures employees now face the grim prospect of extremely personal information bouncing around the internet forever. The documents lifted from company servers include email exchanges with employees regarding specific medical treatments they are undergoing, while one disciplinary letter details a manager's romantic relationship and business travel history with a subordinate. None of the names on any of the files is redacted.
In some cases, extensive stores of personal employee files — documents that have nothing to do with Sony corporate business — were included in the breach. One document swept up in the hack outlines the breastfeeding diet of a senior executive.
Leaked performance evaluations cover, sometimes in great detail, how individual employees failed to live up to the expectations of their managers. There are also detailed compensation reports for Sony's executives, including their last three years of compensation at Sony, their target bonus, actual bonus, and base salary. It also compares them to similarly situated employees in other companies and reviews their proposed contracts for the next three years.
Alongside that: salary information on almost 7,000 employees, from those on multimillion-dollar contracts to those earning less than $21,000.
Some believe the leak might have been the work of hackers backed by the North Korean government, which has expressed outrage at an upcoming Sony Pictures comedy film, The Interview, which is built around an attempt to assassinate North Korean leader Kim Jong Un. North Korean officials have previously described the unreleased film as an act of war, and in a letter to UN Secretary General Ban Ki-moon, the country's United Nations ambassador said the film was a form of terrorism.
When asked by the BBC on Tuesday if their country was responsible for the Sony Pictures hack, a North Korean government spokesperson replied, "Wait and see."
And this may be just the beginning. "We have much more interesting data," the hackers said in an email sent to media, including BuzzFeed News. "If you find special interest, send an email."
Matthew Zeitlin, Joe Bernstein, Anne Helen Petersen, and Peter Lauria also contributed reporting to this story.
Tom Gara is the business editor for BuzzFeed News and is based in New York.
Contact Tom Gara at email@example.com.
Charlie Warzel is a senior writer for BuzzFeed News and is based in New York. Warzel reports on and writes about the intersection of tech and culture.
Contact Charlie Warzel at firstname.lastname@example.org.
Got a confidential tip? Submit it here.