If you've just been skimming headlines, you might think the Sony hack was a celebrity-gossip story: What rude name did Scott Rudin call Angelina Jolie? Which star is slamming the studio? (We did some of this, too). But beyond the famous-people name-calling, there's a bigger story: the 15,000 regular people whose lives were shattered by the hack. The salary information, healthcare records, criminal-background checks, expense reports, and performance reviews of thousands of current and former employees are out on the web — alongside every rude email or bitchy chat they ever wrote.
Yesterday, the story blew up again with news that Sony outright canceled the theatrical release of "The Interview" (the Kim Jong-un assassination movie that's allegedly prompted the hack). While that's upsetting to a lot of A-listers, it obscures how difficult the last few weeks have been for Sony’s current and former employees whose personal details are now out in the open. People like Kate, a former employee we spoke to about the nightmare her life has been these past weeks. (We're keeping her anonymous at her request.)
What keeps her up at night? She’s worried about what her current employer could do with this information: Could her boss suddenly develop a prejudice against her because of something in an old performance evaluation? Could she be denied a promotion because of a health problem that might affect her work? Will she never again have the leverage to negotiate a pay package because her salary history is now public? Then there’s her Social Security number, her bank-account information, and all her passwords. The consequences of this data breach on her life are enormous. “I’ve changed the locks in my house,” she tells me. “They have my address and my identity. You just have no idea what the wrong person could do with that information.”
Kate resigned from Sony six months ago for a new job. She first found out about the hack from several close friends who still work on the Sony lot. At first, the whole thing seemed like a hilarious pre-Thanksgiving prank. “A former colleague of mine sent me a screenshot of his computer,” she recalls. “It looked like his desktop had been taken over by a skeleton from a terrible, low-budget '80s horror film.” That bizarre graphic was the first sign that Sony’s digital systems had been breached, but it was hard to take seriously. “We all thought it was funny in a WTF kind of way,” she says.
As Kate discovered, along with the rest of the world, it was not a joke. As current and former Sony employees watch this epic crisis unfold, many are not surprised by what has happened. Kate worked in Sony’s digital division, where the company’s poor security practices were a running joke among her colleagues. “When we heard about the breach, there were a lot of us who thought, Of course this happened,” she says. Back in 2011, when Kate was still an employee, Sony was hacked and did little to beef up the company’s security systems afterwards.
Kate tells me that all digital work produced in her department was supposed to be scanned by Sony’s information-security team, but that team was so underfunded and understaffed that projects would get permanently stuck in the queue and eventually have to launch without internal checks. The bulk of the IT department was outsourced, so when Kate had a problem she would have to call a help desk that was located overseas. “It was very obvious to us that the company had not invested in security,” Kate says. “The joke was that the security team was as bad as the TSA: They were asking us to fill out all these forms, but we knew they weren’t doing anything with them.”
Kate and her former colleagues are angry about how Sony has put them at risk by not better securing its servers. And they’re not alone. On Monday, two former Sony employees (unrelated to Kate) filed a lawsuit detailing how the company had repeatedly ignored warnings about how vulnerable its data was and is squarely to blame for what unfolded. The document reads, “An epic nightmare, much better suited to a cinematic thriller than to real life, is unfolding in slow motion for Sony’s current and former employees. Their most sensitive data, including over 47,000 Social Security numbers, employment files including salaries, medical information, and anything else that their employer Sony touched, has been leaked to the public, and may even be in the hands of criminals.”
For Kate, that is a reality she is grappling with every day. In the aftermath of the attacks, Sony did not proactively reach out to former employees to help them, so Kate has spent hours trying to contact her former employer for help or information. (Sony has since offered identity-theft coverage to former employees and their families, but Kate has bought extra protection because she felt the package provided to her was inadequate.) “Someone out there could be creating a false identity to get employment as me or commit a crime in my name,” Kate tells me. She has access to a service that pings her when her information shows up on the digital black market; it already has. “I had to file a report with the Culver City Police, but they were reluctant to let me because they were tired of all the people coming in to do the same thing. I’ve had to change all of the passwords and get new bank-account and credit card numbers. All of this takes time and emotional energy,” she says.
As Kate shares her story, I can’t help but think of every stupid email I’ve ever sent at work. Sinking into the comfort and familiarity of my desk, how often do I let my guard down and forget that everything that I type is saved on a server somewhere, ready for the stealing. What would happen if the inside jokes my colleagues and I quickly rattle off on our group-email chains somehow saw the light of day: How racist, sexist, or mean would we look? Would it kill my reputation and make it hard for me to find another job? And if Sony, a company with plenty of valuable digital assets to protect, had such shoddy security practices, I wonder what my employers have done to keep my data safe? What I do know for sure is that another hack is likely just around the corner — maybe even being planned as I write this — and I can only hope that I’m not the next Kate.