Hollywood is reeling from the entertainment industry equivalent of WikiLeaks — leaving the entire town on high alert.
For the past two weeks, Sony Pictures Entertainment has been battered by a treacherous cyber-attack that has exposed the studio’s and its workforce’s most closely guarded secrets.
Top executive and star salaries, production costs, current and former employee Social Security numbers and home addresses, as well as other confidential documents have been laid bare, fueling a public relations nightmare that continues to metastasize as daily revelations leak.
The situation escalated significantly Dec. 5 from an embarrassing misfortune to a dangerous act of personal terrorism after employees at the Japanese-owned studio were sent an email by a group calling itself the Guardians of Peace that threatened staff and their families. Three days later, another missive came from the GOP that denied having sent the first email and demanded that Sony “Stop immediately showing the movie of terrorism which can break the regional peace and cause the War!”
The movie is almost certainly Sony’s upcoming comedy “The Interview,” about two tabloid TV journalists recruited to assassinate North Korea’s supreme leader, Kim Jong-un. The nation’s officials have sharply criticized the movie, and the Dec. 8 email from the GOP said that it had demanded Sony spike the film from the start, an ultimatum studio insiders deny having received.
Insiders say the studio might alter the film’s release plan if the company determines that the threats are credible or people are in danger.
The sophistication and depth of the assault has sent waves of panic across every sector of an industry that prides itself on Kremlin-like control of its internal information. These digital attackers have transformed an iron curtain into one made of gossamer, leaving all of Hollywood’s top brass as well as rank-and-file feeling angry, fearful and vulnerable.
“It’s an aggressive attack — as aggressive as any I’ve ever seen, short of a bombing,” says veteran producer Doug Wick. “If show business is high school with money, then this is the ultimate Facebook thing of someone trying to malign and destroy.”
The culprit behind this wave of hack attacks has yet to be unmasked, and though North Korea has denied involvement, there is speculation the attack could be linked to supporters of that government — or even that it could yet be an inside job by a disgruntled Sony employee, though that prospect seems to be getting more distant by the day.
Tom Kellerman, chief cybersecurity officer for Trend Micro, says he’ll wait for the results of an FBI investigation, but argues that many elements of the attack suggest North Korea is involved in some capacity. “This adversary had been hunting them for a while,” he says.
On Dec. 7, Bloomberg reported that the attacks were launched in Thailand from the St. Regis Bangkok hotel and from a Thai university and are connected to a hacking group called DarkSeoul with suspected links to North Korea.
No matter the source, the GOP has released information on the compensation packages of Sony’s senior management team, including Sony Entertainment CEO Michael Lynton and Sony Pictures Entertainment co-chairman Amy Pascal.
They’ve revealed the line-by-line cost of “The Interview” along with the salaries of its stars, Seth Rogen and James Franco. And they’ve disseminated pirated copies online of five studio films: “Annie,” “Still Alice,” “To Write Love on Her Arms” and “Mr. Turner,” which have yet to be released, and “Fury,” which is in the market.
Preventing any future security breach is of paramount importance to Sony and its rivals. The amount of personal data being shared and stored by entertainment companies continues to increase, putting not only employees at risk, but also the actors, directors and production teams with whom they do business.
“There are no quick fixes,” notes Ron Gula, CEO of cybersecurity firm Tenable Network Security. “There’s no self-destruct button for the data that’s leaked out.”
“The price of technology and the development of technological magic is that we don’t often think of all the downsides,” says Sidney Sheinberg, former president of MCA/Universal. “I don’t get the feeling that there’s any protective methodology being developed just around the corner.”
The attack will end up costing Sony tens of millions to shore up security, pay for identity protection and legally pursue the culprits. In the wake of the attack, Sony hired security consulting firm Mandiant, and began working closely with the FBI. The studio did have insurance, which will help pay for some of the cleanup, according to an individual close to Sony, but the forensic investigation into who is behind the attack could take six months or longer to complete, experts say.
“You basically have to perform a crime scene investigation on every single device at the studio,” explains Joe Loomis, CEO of online security firm CyberSponse.
Loomis adds that not only will Sony have to rebuild and strengthen its security system — something that could take months — it also will need to educate its employees to be more attuned to phishing and other threats. “One employee making one mistake can take down an entire company,” he cautions.
Joseph Menn, an investigative reporter for the Financial Times and author of the book “Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet,” tells Variety that Sony should have gone to greater lengths to encrypt its most sensitive information.
That said, Sony’s not alone. Every other studio has begun to assess its own digital networks and to tap outside consultants, sources tell Variety.
Phoenix Pictures chief Mike Medavoy, who formerly ran Sony’s TriStar Pictures, says the hacking at Sony is a wake-up call in that it underlines how vulnerable studios, government installations such as the Pentagon and other companies are to losing control of their internal information.
“Welcome to the brave new world,” he says. “It’s pretty evident that all information is open to everybody.”
Another negative impact on Sony from the hack attack is the loss of competitive advantage incurred by having its otherwise confidential budgets, salaries and other information known by rival studios and TV networks, talent representatives, lawyers and executives. One former Sony executive told Variety that he was mortified when a news outlet divulged how much money he was making.
The leaks come as Sony had just been starting to recover from a bruising fight with activist shareholder Daniel Loeb, who flambeed the studio for its film flops. As a result, Sony underwent months of layoffs, and had just begun to get its confidence back, aligning itself with top talent such as former Warner Bros. film chief Jeff Robinov and former 20th Century Fox film topper Tom Rothman, when the attacks hit. The exposure of salaries and thousands of dollars in perks to stars like Rogen and Franco arrived as Sony had pledged to tighten its belt and keep stricter control of costs.
The information also has inspired articles and think pieces about the disparity in pay among men and women, and the lack of racial diversity in the executive suite, at Sony and across the industry.
“It’s an embarrassment for a studio under pressure, and it’s going to put a lot of executives on the defensive,” says industry biz consultant Seth Willenson.
There is a sense that no matter the hacker, the control that studios, movie stars and their scores of handlers once exerted may no longer be possible in an age of malware and phishing assaults.
“The Internet is fantastic in many ways, but this is the dark side of it,” suggests former Hollywood executive Joe Pichirallo, now chair of NYU’s undergraduate film and television program. “That level of privacy invasion is abhorrent.”
Dave McNary contributed to this report.