Inside the Sony Hack
What it was like to be a rank-and-file Sony employee as the unprecedented cyberattack tore the company apart.
Every morning, like so many of her colleagues, a television writer would drive from her Hollywood apartment to the Culver City, California, lot of Sony Pictures Entertainment. Greeting her at the gate most days was “this really, really nice woman who said, ‘Happy Monday! Happy Tuesday! Happy Wednesday!’ ” she says. “Like, welcome to the fake small town that you work in!” The guard would push a button. The gate would lift. The screenwriter would park under a 94-foot-tall rainbow sculpture, an homage to The Wizard of Oz. She’d walk down a brick lane, past mammoth billboards for the studio’s upcoming releases, and through towering façades painted like quaint shops—a dry cleaner, a bowling alley, a cinema marquee. Then she’d enter her office and write some TV.
One year ago, on Nov. 24, 2014, there was no “Happy Monday” when the screenwriter approached the Sony lot. Instead the guard told her to pull out her badge and swipe it to unlock the gate herself. Inside, she walked down the path and past posters for the upcoming geopolitical stoner comedy The Interview. Across the lot, select company computers were playing a movie Sony hadn’t produced. It opened with gunshot sound effects and a spooky cartoon: a grinning pink skeleton, a gravestone marked “SONY,” the pale severed heads of studio bosses Amy Pascal and Michael Lynton. A threat scrolled by in neon-green broken English:
We’ve already warned you, and this is just a beginning. We continue till our request be met … Wei-ve obtained all your internal data including your secrets and top secrets. If you doni-t obey us, we-ll release data shown below to the world.
It was signed, “Hacked by #GOP.”
Early reviews were lukewarm. “It felt like getting hacked in the early ’90s,” says one Sony employee (who I spoke to on an anonymous basis, just like almost everyone else I talked to for this story, as Sony’s employment policies forbid talking to the press, Hollywood is a small town, and it can be a reputation-killer to be quoted on the record speaking freely about your experience with a big studio). “The message looked like something out of Hackers, the movie. Like, You’ve been hacked, bitch! It was a throwback. Almost cute.” Nobody knew that “it was the beginning of this terrible, awful experience that would stretch on forever and ever.”
Last year, the Identity Theft Resource Center recorded data breaches at 783 businesses, banks, schools, health care outfits, and government systems. Together they exposed north of 85 million sensitive records, including Social Security numbers, health histories, banking details, and account passwords. By the ITRC’s count, the Sony breach was a blip. Just a couple of months earlier, hackers had made off with the credit card numbers of 56 million Home Depot customers. But the Sony hack was small like a bull’s-eye. It was a targeted assault on a whole organization, not some inchoate diaspora of Anthem health insurance members or recent Target shoppers. It was one of the first hacks to expose not just the metadata of our lives, but the substance of our relationships. And it was the hack that made many of us wake up to the importance of cybersecurity, by adding drama, George Clooney, pot humor, and North Korean supreme leader Kim Jong-un to the mix.
In the year since the hack, the fallout has been told largely through superficial squabbles between bold-faced names. Amy Pascal didn’t like Cameron Crowe’s movie. Scott Rudin thinks Angelina Jolie is a brat. Aaron Sorkin doesn’t know who Michael Fassbender even is. Tabloids, blogs, and the New York Times couldn’t get enough of the story, so anyone paying even cursory attention to the ordeal knew how it was impacting Seth Rogen, James Franco, and their stoner comedy, The Interview. (According to the FBI, North Korea had unleashed hackers on Sony in presumed retaliation for the movie’s disrespectful treatment of Kim Jong-un—at the end, his head explodes.) But the hack also had massive effects on the 7,000 employees who keep the studio running. Behind the lot’s façades, Sony functions like any number of nondescript American corporate offices. Secretaries schedule meetings; HR manages benefits; food services dishes up lunch at the lot cafeteria. Over the past few months, I talked to those people—two dozen Sony employees, former employees who left in the months after the hack, contractors, and industry professionals who work closely with the studio—about what the hack was like for them.
* * *
Outside Sony, it would eventually seem as if all the studio's info had been exposed for everyone to see. But inside the studio, nobody could access anything. “Everything was so completely destroyed. It was surreal. Everything was down,” one ex-employee told me. “It wasn’t just one system or one part of the lot or one building. The network was completely chewed up by the virus."
The telephone directory vanished. Voicemail was offline. Computers became bricks. Internet access on the lot was shuttered. The cafeteria went cash-only. Contracts—and the templates those contracts were based on—disappeared. Sony’s online database of stock footage was unsearchable. It was near impossible for Sony to communicate directly with its employees—much less ex-employees, who were also gravely affected by the hack—to inform them of what was even happening and what to do about it. “It was like moving back into an earlier time,” one employee says. The only way to reach other Sony staffers was to dial their number directly—if you could figure out what it was—or hunt them down and talk face to face.
At first, staffers were told that Sony was “working on an IT issue” and that systems should be online again soon. Instructions were relayed “like a game of telephone,” one employee says. When workers first arrived on the lot that Monday morning, they got a message through a security guard or a colleague or a handwritten sign taped up to the wall: Don’t turn on your computer. Later, someone might pop in and deliver the latest directive fourth-hand: “Unplug your computer from the wall.“ Which plug? The network cable? The power cord? Who knows? Just unplug everything. Says one worker: “It was all the hysteria of not knowing.”
In the days after the hack, Sony set up a hotline for employees to call with questions about identity theft. It made psychological counselors available on campus. It had the FBI—whose agents were camped out on the lot for weeks, investigating the hack—host employee seminars on data security. Once email was back online, Sony sent staffers an internal memo nearly every day, most of them signed by Lynton himself. Lynton ate alone in the lot cafeteria and invited employees to come and chat. But company communications were often lacking in specifics—an “IT issue,” huh?—so workers hit their phones in search of answers, texting with colleagues, searching Twitter for the hackers’ hashtag, and passing around cellphone pictures of the spooky pink skeleton to staffers who hadn’t seen it yet. Rumors raced across the lot. Maybe it was North Korea. Or maybe it was that old PR guy who left on bad terms. Even as company tech support worked overtime to get systems back online, one employee told me, “Everyone was kind of eyeing IT, wondering if one of them had a hand in it.” (Though the FBI publicly pinned the hack on North Korea on Dec. 19, the theory that the hack was really staged, or else aided, by a disgruntled ex-employee persisted.)
Some employees—among them lawyers, HR reps, tech and finance people—had jobs so integrated in Sony’s systems that their regular work ground to a halt. Many were instantly shifted to new duties, working to get systems back online. “It was like a bomb went off,” one staffer says. “We looked around. We were still alive. So we started doing triage.” With printers down, Sony staffers handwrote messages on paper and taped them around the lot. Within a day, employees had dragged old BlackBerry devices out of storage to help higher-ups communicate and found old check cutters with which they could pay employees and contractors on paper—once they could figure out how much they made. Thousands of computers were picked up from around the lot for scanning and repair. Loaners were obtained and distributed. Thirty to 40 employees worked all the way through the Thanksgiving weekend. When others returned that Monday, Sony had set up an emergency email server that full-time regular employees could access. A temporary Wi-Fi system was broadcast across the lot, and the name and password were distributed on slips of paper, along with a warning that it was, as one employee puts it, “about as secure as a Starbucks network.”
“It was an Earth-shattering change,” an ex-employee says. “There was no ability to reference anything else that had happened before the hack.” One Sony contractor told me that, when he failed to receive his regular check a month after the hack, he called the company and was told: “Sorry, how much do we pay you?” Systems that got back online quickly were just a “rough draft,” a “weird middle ground,” and “built on sand,” various workers said—totally temporary and not customized to the actual work. Staffers had to use generic forms to complete highly specialized tasks with contractors and vendors. “Suddenly, none of the line items made any sense,” one worker says. Imagine shopping online, trying to add items to your Amazon cart, but having to do it on a form designed for school loan applications. The impact on Sony’s systems “really sank in at the beginning of the new year,” one ex-employee says. “We returned from the holidays having heard lots of promises that systems would be restored.” Many were not.
For some Sony employees, the hack added hours a day to their workload. A postproduction assistant on the TV show The Blacklist told me that before the hack, “my schedule was insane.” He was working 12 to 15 hours a day, six or seven days a week. After the hack, the disruption of one particular system—the one Sony used to send raw digital footage from the show’s New York set to its L.A.-based editors—required that he wait around every night until the set wrapped in New York, drive to the Hollywood contractor that had stepped in to manage the transfer, and drive the footage back to Sony to be manually uploaded for processing. He compares working at Sony after the hack to a lab experiment in which a sniveling white mouse is dropped in a chamber and assaulted with electric shocks. “If you give the mouse an electric shock every 10 minutes, he gets used to it. He knows what’s coming. He learns to deal,” he told me. “But if you start adding in shocks at random, the mouse is like, Fuck! When is the next thing happening?”
* * *
In the weeks after the hack, moods swept over the workforce in waves, like stages of grief. At first, “everyone was pretty understanding and mellow for the most part. There was a spirit of togetherness, concern, and general camaraderie on the lot. People understood this was beyond the bounds of anything a company like this had ever seen before,” one ex-employee told me. “The anger set in later.”
With email down in those first few days, the surge in face-to-face communication helped strengthen bonds in the company. “It was like, we’re having face-to-face meetings, in the same room, talking to each other? Weird,” one employee told me. And since they were all dealing with the trauma together, some staffers bonded “over this communal, shared experience,” another employee says. “I definitely felt closer to a lot of people.” Employees celebrated little victories: When staffers were paid on time, many were grateful, even impressed.
At 5 p.m. on Thursday, Dec. 4, 10 days after the hack, the staff reported to the parking lot under the rainbow for Sony’s annual holiday party. Executives took turns bartending as a disco ball twirled overhead. Pascal delivered a rah-rah speech: “On any Friday night, we can shift the world on its axis, and if anybody wants to stop us, they’re going to have to do a whole lot more than breach a firewall.” (Pascal declined to be interviewed for this piece.) The crowd cheered. Everyone got really drunk. On Instagram, employees posted spirited captions like “Party like there is no next year!" and “#turnteventhowegotHACKED.” The event ended as it should: With people in button-downs awkwardly grooving to House of Pain’s “Jump Around.”
But the next day, the hackers (or an imposter) emailed a threat to a list of Sony employees, warning them to denounce the company or “suffer damage.” Refuse, the email said, and “not only you but your family will be in danger.” That was the moment when “it felt like things had gone too far,” one employee told me. “Things were spiraling, and Sony didn’t seem to have it under control.” Meanwhile, it was quickly becoming clear that the hackers had commandeered huge caches of personal data on the company’s rank and file—emails, yes, but also Social Security numbers, salary info, personnel reviews, and medical histories. In just one handy spreadsheet dumped in the wake of the hack, 3,803 Sony Pictures employees’ Social Security numbers were exposed. Detailed information about highly personal medical procedures got out. Staffers’ kids were at risk of having their identities stolen. Cybercriminals instantly raided the files. In the coming months, according to interviews and court documents, one employee would be charged for a fancy microwave on Amazon; a former staffer would have her email and password sold on the black market; another would be hit with overdraft charges as thieves drained her bank account. “As the reality set in, morale was just trashed,” one ex-employee says. “Everyone was really upset when it was discovered how everything was stolen in addition to just being down.”
Leading up to The Interview’s Christmas premiere, the fallout of the hack revealed itself like some deranged advent calendar. Each day there was a new data set dumped on the Web, a fresh morsel of celebrity gossip fished from an email and fed to the tabloids, another anonymous threat lodged against some player in the drama. Every time it seemed like the saga had reached its climax, Sony got slammed with some other twist. It’s impossible to grade Sony on its response to the hack, because there’s no basis for comparison for the punishing series of bizarre events the company was forced to crisis-manage. Still, seemingly everyone had an opinion. In the weeks following the hack, Sony, the cybersecurity firm it hired to investigate the hack, and FBI agents stated that the company had experienced an “unprecedented” digital assault that would have felled 90 percent of companies it hit. But some independent analysts assessing the Sony situation from afar shrugged that it wasn’t so sophisticated after all and that the company could have done more to prevent it if it had beefed up its security staff and poured more cash into protections. Some security experts co-opted the hack to promote their own services.
A rash of civil suits, filed by stilted ex-staffers, hit one after the other. The first, filed Dec. 15, began: “An epic nightmare, much better suited to a cinematic thriller than to real life, is unfolding in slow motion for Sony’s current and former employees.” In the lot cafeteria, staffers approached Lynton and vented in person. “They asked me, ‘Why are we doing this, putting out the movie?’ and ‘What does this mean for my family?’ and ‘What are you doing to protect me?’ They told me about all the time and effort they were putting in—18-hour days, six days a week—and about how they hadn’t seen their families for longer than just a glance,” says Lynton. “Obviously, there were people who felt aggrieved. I was deeply sympathetic, because a lot of my personal information was exposed. I empathized with them. I can only say that we did as much as was humanly possible to keep them safe.”
But in other ways, the CEO and his employees could not necessarily relate. Getting The Interview into theaters was of the utmost important to the boss. Lynton, who has two Harvard degrees, launched his career in media and publishing, and regularly rubs shoulders with journalists and diplomats, was attuned to the political implications of cancelling a movie, no matter how dumb, over a dictator’s objections. But a Jeopardy! P.A. doesn’t necessarily feel a responsibility to champion free expression regardless of the personal costs. Defending a stoner movie to death was not what he signed up for. As the company struggled to release The Interview while juggling the various expectations of President Obama (who wanted Sony to release the movie), theater owners (who didn’t want to risk losing customers after hackers threatened an attack), Seth Rogen (the studio’s reigning film bro), and the press (who wanted dirt), some employees felt like their own concerns were drifting further and further down their bosses’ list of priorities. Says one person who worked on the lot, “Nobody knew how to play it so they could be responsible as employers, responsible geopolitically, and responsible as artists.”
* * *
The hack had a way of heightening existing institutional anxieties, and Sony already had its share of those. In 2013, Sony investor Dan Loeb lobbied the Japanese company to cut costs in its entertainment division, and by year’s end, efficiency consultants from Bain & Co. were slithering across the lot, eyeing every department for expendable employees. The project, code-named “Building for Tomorrow,” would help Sony cut as much as $300 million from its annual budget and lead to hundreds of layoffs by the end of 2014. Some positions were slashed at home, then outsourced to third-party vendors or shipped overseas and restocked with cheap foreign workers. Over the course of 2014, batches of replacements would be flown in and out of California to train in Sony’s Culver City offices. So: Morale was low. As one Hollywood exec put it months before the hack, “It is a toxic dump over there right now in terms of stress and pressure and downsizing.”
After the hack, fine distinctions of status and reputation rose to the surface. Press reports pushed Sony’s long-simmering diversity issues to a boiling point. It wasn’t a secret to anyone that Sony’s highest-paid executives were almost exclusively white men, but it was still depressing to see that fact illustrated plainly in a spreadsheet and splashed across newspapers and blogs. When tabloids scanned Sony’s highest-ranking woman’s emails and recovered some weird black jokes—and then, when she was fired and replaced by another white man—that didn’t inspire a lot of company pride, either. (“I totally agree that this was a big issue, and it remains an issue. It’s appropriate for people to be concerned about it,” Lynton told me. “I don’t brush it off at all.”)
Another rift emerged between the “creative” types contracted to work on the lot over the course of a film or a show, and the regular Sony employees who kept the studio running and on budget. “There is a really stark division on the lot between Sony employees and people who are contract workers. There’s the perception that proper Sony employees are basically paper-pushers. Bean-counters,” says one contractor. “The Sony employees are thought of as people who want to work in Hollywood to be a part of the machine but don’t want to generate anything artistically. There’s a little bit of ego about that among the ‘creatives.’ So there was this added edge to the hack.” Sony’s rank and file had their job descriptions scrambled and their private information cast to the wind. But for many of the contractors working on the peripheries of the organization, the hack seemed to breeze through like tumbleweed. “The Interview came out and nothing happened. We got our Internet back. We spent a month joking about it. After about two months, everybody sort of forgot it ever happened,” a screenwriter told me. “It was just another crazy thing in a crazy year of work.”
Even inside Sony proper, the effects of the hack varied wildly based on department and status. “Some of the worst team players were in HR,” one employee told me, because the nature of the hack—leaked Social Security numbers, exposed medical info, a trashed payroll system—meant their department was one of the hardest hit. Several employees told me that people who had higher positions at higher salaries seemed more casual about the threats to their identity, instead focused on keeping Sony movies and TV shows running on schedule. People at the lower echelons were more likely to be concerned about the costs necessary to keep their information safe. Shortly after the hack, Sony offered employees a yearlong subscription to the fraud protection service AllClear and—after some nudging in the form of a class-action lawsuit settled last month—extended the offer to ex-employees and dependents through the end of 2017. But lot chatter moved flusher employees to shell out for a pricier protection service, LifeLock. Now, one year out, it seems to some that executives and managers have recovered from the hack on a quicker schedule than some of their underlings. “For many of the higher-ups, it’s like it never happened,” one employee told me. “They’re very much in tune with the imperative from Sony to move on.”
* * *
Last month, Lynton took the stage at a corporate conference and said he’d heard from a “distressing” number of colleagues who’d joined in the fun by reading his emails. Sometimes they still waltz up to him in the cafeteria, he says, and start chatting about what they’ve learned.
But here is the most surprising thing I learned in reporting this story: Most Sony employees I spoke with said they didn’t search the leaked documents. For the first several months after the hack, when the only way to access the stolen information was to download some hulking pile of data thrown up by God-knows-who on a file-sharing site on a dark corner of the Web, most employees didn’t even know where to find it. Those who did were scared about what would happen when they clicked “download.” Media reports warned that security researchers who accessed the hacked files had been visited by the FBI. Sony employees who had just witnessed the swift, total destruction wrought by the hackers worried that the posted files could contain another virus, one that would take over their home networks and infiltrate even more of their online lives.
Sure, some people snooped. “I’ve heard many people talking and joking about looking up other people’s deals,” says a writer on the lot. “People are just interested in how much money other people received because, you know, money.” But many people I talked to say they were only snooping for their own data. Some assistants were tasked with searching the leak to see whether their executive bosses had been breached or to get ahead of any stories that might be sourced from their inboxes. On one TV show, a screenwriter dared to download the files and gathered his colleagues around to plug in their names and see if their private information had been exposed. One widespread frustration among workers I interviewed was that while Sony had warned everyone to “assume” that their data “might” be in the hackers’ possession, the company didn’t page through the material and notify employees who’d actually been compromised.
The troves of data released in the hack seemed a lot more interesting to people outside the studio than those in the trenches. Employees who were low on the totem pole didn’t really fear any of their own emails would be spun into a tabloid sensation, since nobody knew who they were. And because only executive inboxes were leaked, they knew they wouldn’t find much relevant intel—their own dealings were below the executives’ notice. “It would have been a lot of work to search through all that stuff, and it was unlikely to give you any leverage around here,” one employee told me. For staffers who did email with executives, digging for dirt on colleagues felt like mutually assured destruction. Says one staffer, “Everyone was in the same boat.”
By the time WikiLeaks published more than 30,000 Sony documents and 173,000 emails in an easily searchable database in April, calling them “The Sony Archives,” many Sony employees were so sick of hack talk that they couldn’t conceive of an aspect of their company that they actually wanted more details on. Besides, Sony disabled access to WikiLeaks on the lot’s computer network—it cut off a lot of sites after the hack, including some industry blogs—so employees would have had to use their downtime to rifle through their employer’s files. Not exactly an enticing proposition. At a certain point, one staffer says, “I just started filing that stuff into a mental folder labeled ‘More Hack Bullshit’ and did not engage.” When I asked staffers what they thought about one media story that made a big splash in my circles five months after the initial hack—a cruel Jezebel report on the pubic hair dye Pascal had ordered from Amazon—most of them drew a blank. They’d never heard of it.
In the year since the hack, some have speculated that the leak could spook Sony staffers away from email entirely. Writing in the New York Times in March, the screenwriter Delia Ephron said that since the breach, “I say less in personal emails, and much less in professional ones. If I’m writing to someone whose cloud a hacker might fancy, I am less cozy, which is a bit like downgrading a close friend to an acquaintance.” But Ephron also admitted she couldn’t stay on high alert for long. Studio deal-making moves too fast for all relevant parties to hop on the phone or crowd in a conference room for every meeting. And Sony is just one studio: It can’t dictate how its entire industry works or force every agent, actor, and producer in Hollywood to zip it. Jeff Garlin, star of the Sony sitcom The Goldbergs, saw his salary leaked in the hack but hasn’t altered his behavior. “I email more and talk more to show the bad guys that can’t stop us,” he told me. One industry pro who’s in constant contact with Sony executives says that in the view from his inbox, at least, “Nothing changed. Nothing at all.” Says Lynton, “I still regularly see emails that make me say, ‘Really? We went through this for a year, and you’re still sending this?’ The technology is so compelling that—for whatever reason—people are still sending me emails that they would very much not like to see show up in another venue.” But some at Sony have noticed small shifts. Conversations that used to be angry emails are now sometimes yelled over the phone. Staffers who used to ping-pong tasks endlessly between one another learned that they can often talk it out faster than they can type it. Online chats that used to be instantly archived have been switched to off-the-record.
* * *
Last year, the Identity Theft Resource Center surveyed hundreds of victims of identity theft about the emotional aftermath of the crime. Many testified to experiencing denial, frustration, rage, fear, betrayal, and powerlessness in the days, weeks, and years after the violation. And these were people who were wronged by a retail store or a health insurance provider, companies with which they had thin, impersonal relationships. Target is just a place they bought bedsheets. Anthem is a card they brandish at doctors’ visits. The Sony hack hit employees in the place where they spend most of their waking hours and expend most of their mental and physical energy, and not necessarily because they’re super passionate about filing paperwork for Adam Sandler movies. The leak of information threatened their personal financial futures, and the destruction of property threatened their livelihoods. As one employee put it: “Everything we had to do to make a living became such a chore.”
While outsiders viewed the hack as a dishy celebrity soap opera or exciting international spy saga, inside the writers rooms and the HR department and the IT offices, it wasn’t very sexy at all. It was a lot of extra hours on the job, and a lot of hard work. Several people I spoke to left Sony in the months after the hack. Others are finally readjusting. To them, the Sony hack was less of a geopolitical thriller and more of a workplace drama that ran too long.