Sony Hack: Studio Security Points to Inside Job

North Korea might hate a new movie, but studio sources lean toward an ex-employee scenario as movies leak and multimillion-dollar salaries go public

A version of this story first appeared in the Dec. 12 issue of The Hollywood Reporter magazine.

It's the hack heard round Hollywood — and the world.

Fallout from an unprecedented cyberattack that first hit Sony Pictures Entertainment on Nov. 24 continues to grow. The Culver City-based studio, now working with the FBI, was beginning to recover its computer systems when a trove of alleged studio and personnel secrets were spilled online. First, SPE was forced to shut down its companywide email; then five of its new and upcoming movies, including the Brad Pitt World War II film Fury and the musical remake Annie, were pirated and widely disseminated on file-sharing sites. Then the confidential information, allegedly from the studio's files, began appearing online, including what are claimed to be multimillion-dollar salaries of the studio's top executives and the Social Security numbers of more than 3,800 employees.

Read more Michael Lynton and Amy Pascal Call Sony Hack "Brazen Attack" In Staff Memo

Although the studio at first only would admit publicly to "a system disruption," on the evening of Dec. 2, SPE CEO Michael Lynton and co-chairman Amy Pascal issued a companywide memo calling the hack "a brazen attack on our company, our employees and our business partners," and in an apparent admission that much of the leaked information is accurate, acknowledging, "a large amount of confidential Sony Pictures Entertainment data has been stolen by cyber attackers, including personnel information and business documents."

Adding that "the privacy and security of our employees are of real concern to us," the two heads of the studio said that all employees have been offered identity protection services from a third-party provider, AllClear ID. While thanking employees for "the resilience you have shown in the face of this attack," they also said the theft of employee and other information were "malicious acts, and we are working closely with law enforcement."

While Sony reels from an attack that is proving costly and embarrassing (one source describes morale on the lot as "lower than low"), other studios are re-evaluating their own security systems. At Fox, for example, employees were advised to change their passwords. A Disney source says the company is re-evaluating its security protocols.

Read more Sony Hack: Sensitive Data on 3,803 Studio Employees Allegedly Released

For Lynton and Pascal, the nightmare could be just beginning. An anonymous group calling itself the #GOP, short for Guardians of Peace, took credit for the attack, displaying a message on Sony's computers threatening, "If you don't obey us, we'll release data shown below to the world." As the studio shut down its email and other systems, employees were forced back to the pre-Internet age, with business done for days by pen, paper and blackboards.

Then, on Dec. 1, as the studio was resuming normal operations with the help of Mandiant, an online security firm, Sony brass was rocked by the dissemination of an alleged internal spreadsheet that included the annual base salaries (excluding stock and bonuses) of its 17 highest-paid execs. Among them are Lynton ($3 million), Pascal ($3 million), Sony TV head Steve Mosko ($2.8 million) and Columbia Pictures president Doug Belgrad ($2.35 million). The website Fusion.net, part of the youth-focused Fusion network started by ABC and Univision, unearthed a second download of purported internal Sony files Dec. 2. They contained, it said, a spreadsheet listing the payrolls of various Sony divisions — the company's total salaries as of May were listed at $454,224,070 — as well as formulas and estimates for laying off individual employees and a comparison of Sony's pay to that of studio rivals.

Now the question of who is behind the attack has become a chilling Hollywood whodunit. While the hackers have identified themselves only as Guardians of Peace, emails pointing journalists to allegedly stolen files posted on a site called Pastebin came from a sender named "Nicole Basile." A woman by that name is credited on IMDb as an accountant on the studio's 2012 hit film The Amazing Spider-Man, and her LinkedIn page says she worked at Sony for one year in 2011. Basile couldn't be reached for comment and the studio declined to confirm if she works or has worked there.

Read more Sony Pictures Hires Cybersecurity Firm to Fight Hack, Investigates Piracy

Initial speculation swirled around a state-sponsored attack perpetrated by the North Korean government or its allies in retaliation for Sony's upcoming comedy The Interview, in which James Franco and Seth Rogen play journalists drafted by the CIA to assassinate North Korea leader Kim Jong Un. North Korean officials have condemned the movie, calling it "an act of war." But as the story of the cyberattack has grown, North Korea has been coy about its possible involvement. Asked by the BBC whether the government was involved in the attack, a spokesman said only, "Wait and see."

Inside the studio, though, sources say there is little evidence that North Korea is behind the attack. Cybersecurity expert Hemanshu Nigam also finds it hard to believe that North Korea is the perpetrator. Instead, he theorizes an employee or ex-employee with administrative access privileges is a more likely suspect. For the studio — which has laid off hundreds of employees over the past year in an effort to contain costs — the possibility of a disgruntled employee wreaking havoc is very real.

"If terabytes of data left the Sony networks, their network detection systems would have noticed easily," explains Nigam. "It would also take months for a hacker to figure out the topography of the Sony networks to know where critical assets are stored and to have access to the decryption keys needed to open up the screeners that have been leaked." In addition, he says, "Hackers don't use such things as Hushmail, Dropbox and Facebook when they want to engage in what amounts to criminal activity. Real hackers know that these sites collect access logs, IP addresses and work with law enforcement. It is possible that North Korean-sponsored hackers were working with someone on the inside. But it is more likely a ruse to shift blame, knowing the distaste the North Korean regime has for Sony Pictures."

Read more Sony Hack: FBI Confirms Investigation

Adam K. Levin, a security expert for three decades, says the Sony hack could be part of a larger scheme. With media now linking to these fraudulent websites, millions of people could click on bad links and hackers can collect their email addresses and turn their computers into transmitters of private data. "It could be the equivalent of cyberwallpaper," says Levin.

On Dec. 1, the FBI confirmed that it is "working with our interagency partners to investigate the recently reported cyberintrusion at Sony Pictures Entertainment," and it issued a private bulletin to U.S. businesses warning of malicious software that can wipe data from computers.

It was not immediately clear whether the movie piracy is related to the initial attack or a separate action, though most suspect the two are related. On some file-sharing sites where they popped up, the films, which also include the Oscar hopeful Still Alice, starring Julianne Moore, were identified as having been ripped from DVDs, suggesting they were copied from awards-season screeners. "The theft of Sony Pictures Entertainment content is a criminal matter, and we are working closely with law enforcement to address it," said a Sony rep in one of the few public statements the company released in the early days of the attack.

The five movies were downloaded illegally about 2 million times in five days on peer-to-peer sites, with Fury, which has grossed $172 million worldwide, proving most popular. The bottom-line impact could be felt most on Annie, Sony's big holiday movie. The collective breach eventually could rival 20th Century Fox's losses when its superhero tentpole X-Men Origins: Wolverine leaked in March 2009, a little more than a month before its release. At the time, the studio estimated that 15 million people downloaded the movie for free — topping $50 million in lost revenue.

The cost of the system shut-down, startup and added security measures going forward also will be significant. But the attack could have an even larger effect on the industry in general — even if it only leads to heightened security precautions. "It's changing our business," says one producer of its impact on Hollywood. "From now on, money and time will be allocated by studios to deal with this full-time. Everyone is reeling."