Privacy matters: Sony hack leaked 47,000 Social Security numbers, celebrity data

Much of the data leaked from Sony hack was stored in Microsoft Excel files without password protection. Documents leaked online include the personal information, salaries, and home addresses for employees and freelancers who worked at the studio, a data security analyst finds.

sony_hacker_110603_620x350The security breach suffered by Sony Pictures Entertainment last month appears to have leaked far more personal information than previously believed, revealing the Social Security numbers of more than 47,000 celebrities, freelancers, and current and former Sony employees.

An analysis of 33,000 leaked SPE documents by data security software firm Identity Finder found the leaked files included the personal information, salaries, and home addresses for employees and freelancers who worked at the studio. Some of the celebrities include Sylvester Stallone, director Judd Apatow and Australian actress Rebel Wilson, according to the Wall Street Journal, which first reported on the analysis.

Other data identified as leaked to file-sharing networks after the breach include contracts, termination dates, termination reason, and other sensitive information, nearly all of which was stored in Microsoft Excel files without password protection, said Identity Finder CEO Todd Feinman.

SPE representatives did not respond to a request for comment.

The leak highlights the risk posed to large companies and organizations that store customer and employee information on computers attached to the Internet, Feinman said.

“This is a common theme of corporations today,” Feinman told CNET, ticking off a list of recent security breach victims including Target, Home Depot and PF Changs. “They think they are protected by firewalls and perimeter security, but the border is becoming blurred, and attacks get through.”

Identity Finder said it discovered more than 1.1 million SSNs in the files, but that many were duplicates. Sony Entertainment co-chair Amy Pascal’s Social Security number was found in 104 separate locations, while Sony Entertainment CEO Michael Lynton’s was found in 93 files.

The discovery of multiple copies of data this sensitive on multiple employees’ computers or multiple times on a single employee’s computer is unusual and dramatically raises a company’s security risk, Feinman said.

“When you have multiple copies of this data, you are giving hackers multiple opportunities to steal sensitive information when they get through,” he said. “If Sony had reduced its sensitive data footprint by reducing the number of copies of data and reducing the number of employees with access to the data, we would have seen zero or only one file.”

The revelation amplifies the damage caused by the hack, which forced the film and TV arm of Japanese tech and media conglomerate Sony to shut down its network for more than a week. A hacking group calling itself Guardians of Peace claimed last week to have obtained Sony Pictures’ internal data, including its “secrets,” and said it would release the data to the public if its demands were not met, according to reports. It is unclear what the hacker group demanded.

Following this declaration, packs of files allegedly belonging to Sony Pictures found their way online. Data including passwords, Outlook mailboxes, personal employee data and copies of passports belonging to both actors and crews working on film projects have been released.

Several days later, Sony Pictures films not yet officially released were leaked online, including the titles “Still Alice,” “Annie,” “Mr. Turner” and “To Write Love On Her Arms.”

Since the November 24 attack on Sony’s network, investigators have been working to determine who was behind the hack. Sony is working with FireEye’s Mandiant forensic team to investigate the breach, along with the FBI, which issued a warning earlier this week that hackers are using malware to launch destructive attacks against businesses in the United States.

The company is said to suspect that hackers working on behalf of North Korea were behind the attack, according to Recode. The site speculated that the attack may be in response to Sony’s forthcoming film “The Interview,” a comedy due to be released next month starring Seth Rogen and James Franco as TV journalists who become embroiled in a plot to assassinate North Korean leader Kim Jong-Un.

http://www.cnet.com/news/sony-hack-said-to-leak-47000-social-security-numbers-celebrity-data/

One comment

  • Imagine what else is hacked and we dont even know about it. Now, a direct and private sharing method like Binfer could have prevented it.

Leave a Reply

Your email address will not be published. Required fields are marked *