Last month, hackers infiltrated the computer network of Sony Pictures Entertainment, a major Hollywood movie studio. The attackers stole a huge number of confidential documents, which are now being downloaded (primarily by journalists) from file-sharing networks. Since then, journalists have been poring through the files looking for interesting revelations.
The hackers are widely believed to be backed by the North Korean government, which is furious at Sony for producing The Interview, a movie that depicts the assassination of North Korean leader Kim Jong Un. On Wednesday, a terrorism threat against theaters showing the film caused Sony to cancel its planned Christmas Day release.
Read on to learn how the hacks happened, who might be responsible, and what we've learned as a result.
What happened to Sony?
When Sony Pictures employees got into the office on Monday, November 24, they discovered that their corporate network had been hacked. The attackers took terabytes of private data, deleted the original copies from Sony computers, and left messages threatening to release the information if Sony didn't comply with the attackers' demands. Someone claiming to be a former Sony employee posted this screenshot, which (allegedly) shows the message that appeared on Sony employees' computer screens:
Sony's network was down for days as administrators struggled to repair the damage. Staff were reportedly forced to work on whiteboards to do their jobs.
But the greater damage was from all the confidential information that got leaked to the public. The hackers posted five Sony movies (four unreleased) to file-sharing networks. And they also leaked thousands of confidential documents — everything from private correspondence among Sony executives to salary and performance data about Sony employees. Those documents were password protected, and whoever is behind the hack provided said password only to journalists. But it's likely only a matter of time before they break out into the world at large.
As reporters have pored over the huge cache of documents, we've gotten a steady stream of minor scoops about potential movie projects (like a Spider-Man movie crossover), conflicts between Sony executives and Hollywood celebrities (one executive called actor Kevin Hart a "whore"), and the company's management practices (16 of the company's 17 top-paid executives are men).
Some people have blamed North Korea for the attacks. Were they responsible?
We don't know for sure, but it's looking increasingly likely that that North Korea was behind the attacks. On Wednesday, multiple media organizations reported the US government has concluded that the regime was responsible.
And there is some other circumstantial evidence linking the attacks to the North Koreans. Forensic analysis has found that the methods used against Sony are similar to those used in a 2013 attack on South Korean companies last year. Some security experts suspect those attacks were carried out by North Koreans operating from China.
The reclusive nation was furious at Sony because the studio was about to release The Interview, a comedy in which Seth Rogen and James Franco play characters who attempt to assassinate North Korean leader Kim Jong Un.
A message claiming to be from the hackers demanded that Sony "stop immediately showing the movie of terrorism which can break the regional peace and cause the War." The hackers threatened to launch 9/11-style attacks against American movie theaters that showed the film.
And the terrorism threat got Sony to drop the film?
Yes it did. Theaters became nervous about the possibility that the attackers — whoever they were — would follow through on the threats. Or, perhaps, that fears of terrorism would keep moviegoers away from the theaters. Either way, some theaters asked Sony for permission to drop the film from their lineups.
Sony relented on Tuesday, and several theater chains quickly announced they would no longer show The Interview on December 25. Then on Wednesday, Sony announced it was suspending the film's release altogether, citing the theaters' pullout for their decision. At this point, it appears the film may not get released at all.
What have we learned from the leaked Sony documents?
For the most part, we learned that running a big media company is kind of boring. Many of the documents focused on routine business activities, like the company's never-ending efforts to generate revenues from its vast collection of old movies like the forgettable 2001 film Saving Silverman.
We've learned that Sony sometimes pays high-profile men more than women for what appears to be similar work. Of the 17 Sony execs paid more than a million dollars, only one of them — Sony Pictures co-chair Amy Pascal — is a woman. Email correspondence also suggests that Jennifer Lawrence was paid less than her male co-stars for her role in American Hustle.
The Verge (a Vox Media sister site) uncovered documents revealing an effort by Hollywood movie studios to counter the lobbying agenda of Google, a company the movie industry refers to as "Goliath." Sony and its competitors are upset that Google hasn't done enough to crack down on infringing content in its search results, and that the company has lobbied against proposals like the 2012 Stop Online Piracy Act to beef up copyright protections.
The leaks have also provided rare insight into the profitability of Sony's movies. Ordinarily, the rate of return on Hollywood blockbusters is treated as a closely guarded secret. But the Hollywood Reporter dug into the Sony documents and discovered details about which 2013 movies wound up in the black once all revenue sources were taken into account.
The leaks also produced a lot of grist for the gossip mill. One executive called Angelina Jolie a "minimally talented spoiled brat." Another described actor Kevin Hart as a "whore." Multiple Sony employees bashed the "formulaic" Adam Sandler films the company has produced.
Some of these revelations are obviously embarrassing to the individuals involved. But they don't seem to prove very much about the company as a whole. Presumably, a document dump from another studio would reveal the same kind of executive trash-talk and low-level dissatisfaction.
Is it ethical for journalists to be digging through stolen Sony documents and reporting on their contents?
People disagree about this.
The attack on Sony's network was clearly illegal and unethical. Some people argue concerned that by reporting on the contents of these documents, they are profiting from — and maybe even aiding in — the hackers' efforts to embarrass Sony. In a December op-ed in the New York Times, screenwriter Aaron Sorkin excoriated the media for doing the hackers' dirty work for them.
Yet others note that once the documents have been posted online, the genie is out of the bottle. Any single news organization refusing to report on their contents may only delay the inevitable.
Moreover, much of journalism involves revealing secrets that powerful people or institutions tried to keep secret. Often that involves getting sources to share information they aren't authorized to share. And some of the Sony revelations — like those related to Sony's gender-unbalanced executive compensation and Hollywood's war on Google — have genuine news value.
Ultimately, then, the question is less about whether to report on the documents than how much to report. Some information — like, say the Social Security numbers of Sony employees — is clearly out of bounds. But most news organizations have concluded at least some of the revelations in the Sony leak are fair game for reporters.
Is it legal for media organizations to use stolen documents in their reporting?
In a strongly-worded December 14 letter, Sony demanded that media organizations stop reporting on the leaked documents and delete any copies in their possession.
But legally, Sony probably can't force media organizations to comply with its request. In a 2001 decision, the Supreme Court ruled that a radio station couldn't be held responsible for broadcasting the contents of newsworthy audio recordings — even if the recordings were originally made in violation of wiretapping laws. The same principle seems to apply to the leaked documents. As long as a new organization didn't participate in the Sony attack itself, it has a First Amendment right to report on newsworthy information it finds in the documents.
Does Sony have a security problem?
Notably, this is not the first time Sony has been targeted by hackers, and it might not even be the most damaging incident.
In 2011, Sony's PlayStation network was attacked by hackers who stole personal information about millions of PlayStation gamers and took the network down for weeks. This attack was motivated by anger about Sony's lawsuit against an American hacker who attempted to reverse-engineer the PlayStation 3 to allow users to play third-party games not authorized by Sony.
Critics have argued that Sony has taken a lax approach to online security. They pointed out, for example, that the company laid off two security workers just weeks before the 2011 attacks.
And security expert Chester Wisniewski told Gizmodo that the hackers' efforts in 2011 were made easier by Sony's flat-footed response. They'd exploit a vulnerability in one Sony office, then use the same attack days later in another part of the world. "The crooks were able to attack the same thing because Sony Pictures wasn't going out and fixing it," Wisniewski said.
Last month's attack makes it clear that Sony still hasn't fully locked down its network. Yet it's hard to know whether this means that Sony has particularly lax security practices — or if it just happens to be the favorite target of hackers. Hardening a corporate network as large as Sony's is really difficult, and even a company that takes every precaution may still be vulnerable to a sufficiently determined and talented attacker.
That's the view of Joseph Demarest, an official with the FBI's Cyber Division. In his view "the level of sophistication" of last month's attack was "extremely high." He believes that "the malware that was used would have slipped or probably gotten past 90% of Net defenses that are out there today."
What are the lessons of the Sony attack?
First and foremost, lots of companies should be investing more in network security. Companies like Sony tend to under-invest in locking down their networks because it seems like a needless expense until disaster strikes. Cleaning up the mess from this latest attack will cost Sony millions; hopefully that will inspire other large companies to hire additional security experts.
Second, companies should make sure they're well-prepared to respond to attacks. For example, making regular backups can allow a company to recover in the event that hackers delete important data.
Finally, corporate executives should bear in mind that their decisions might be unexpectedly exposed to the light of day. If you're a senior executive at a big company, it's a good idea to avoid sending overly embarrassing emails or having embarrassingly lopsided pay scales.
What happens next?
The FBI is still investigating. In the past, the perpetrators of major attacks have often been apprehended.
Meanwhile, journalists will continue to pore through the leaked documents. A huge amount of data has been released already, and much of it hasn't been carefully analyzed. There might be more data coming out in the future. We don't know if any major scoops are still hidden in that vast haystack.
Update: Since this article was published, I've added information about the "movie of terrorism" message, Aaron Sorkin's New York Times op-ed, and Sony's call for journalists to delete the stolen files. I've also changed the article to reflect growing evidence that North Korea was behind the attacks.