Sony Hack May Reveal Sensitive Imageworks VFX Info

Screen Shot 2014-12-02 at 7.06.05 PM

Just arrived back to the US after a trip to Australia and as many of you know, there was quite a big story concerning a data security breach at Sony Pictures. A text file was released containing a huge list of names of file the hackers claimed to have and it seemed to be pretty legitimate. Names of various employees over the years were in the file (including mine as I was a former Imageworks employee).

I’m not posting the file but you could probably ask around and get a copy. Anyone with simple linux skills can grep through the file to search the file names. If we are to assume the file names describe what kind of information is in there then it seems the data breach is incredibly serious as personal and private information for Sony Picture employees concerning immigration, pay roll, social security, deal memos, evaluation, and so on are included.

Even sensitive corporate information is in the list of files which reaches about 40 million by my count. Over 5000 files refer to the term tax credits. Over 10000 files refer to the term Imageworks. Those files include meeting notes, executive power point decks, and all kinds of financial information.

The question is do the hackers really have the files in question? It sure seems like it after today it was revealed that 25GB of data are being shared by the hackers and it included compensation info of Sony employees. The hackers are also claiming they have TBs of more information. All I’ve heard that Sony is doing in the face of this so far is offering current employees free identity theft protection services for one year. Not sure if former employees are getting the same. I’ve posted the email sent to employees above.

Soldier On.

29 Responses to Sony Hack May Reveal Sensitive Imageworks VFX Info

  1. ScrewedSPI says:

    I worked at SPI, they did get a lot if not everyone’s info, I just found out all my info including Social is in the zip file you can download.

    What Happens When There Is a Data Breach?

    Most states have laws requiring companies to immediately tell customers in writing about a data breach. In some states such as California, you may be able to sue if your information is compromised.

    If you receive a breach notification letter, here are some tips:

    Find out more information. Call the hotline in the letter and ask exactly what information has been compromised, how long ago, and the steps the company has taken to control damage
    If just your credit-card number has been exposed, close the account and order a new card
    If your Social Security number has been exposed. Place a fraud alert on your credit reports with each credit bureau. It’s also smart to check your credit report every few months to make sure no fraudulent accounts have been opened in your name

  2. jojo99@gmail.com says:

    First, I’m sure we all expect at the very least a public apology from Sony for how badly they screwed up, then I think it’s only fair if they report identity theft for all past employees. They have plenty of lawyers and HR people to do that job.

  3. animcoop says:

    Not to mention that the top SPE execs salaries have also been identified and highlighted:

    http://fusion.net/story/30886/why-the-sony-pictures-salary-list-should-be-public/

    Osher is on the list, bringing in nearly 4.8 million each year with base+bonus. It’s good to know gutting your domestic workforce has some consequences.

    • b says:

      He also gets a car allowance. A CAR ALLOWANCE. His 1.3 mil base salary plus the rest in bonuses doesn’t cover how expensive his car is after laying off people at Imageworks who did not want to move to Vancouver.

  4. Hey Everyone,
    I number of facts released are incorrect. I have obtained a full download of the data. The amount of data is enormous. I counted more than 12,000+ employee SSN’s in the 401k directory. So anyone who currently still has an active 401k with Sony is pretty much on this list. The list is named: 01.03.14 Active Report.xlsx and has a monthy report as recent as September 2014.

    Also the amount of data is about 36GB of data when unzipped. Quickly siftting through the data it appears to conatian much more than just SSN’s.

    Here is a brief list of the things I found:
    * SSN’s with last salary, this one is disturbing because all the data necessary to steal someones identity is nicely packed in a single excel spreadsheet (the one mentioned above)
    * Passport information for International employees
    * Offer letters (dating as far back as at least 6 years maybe further), this data appears to be in the text file list but was unable to see it within the full data download for the actual data. However, regardless if they have this information the data copy I was able to get is more than enough to do damage to individuals.

    I have posted on the Sony employees only group via LinkedIn. But I would like to make sure people understand this is not a normal hack. This clearly had insider knowledge of the data. The amount of data obtained is more than 36GB. Based on what posts I have seen I estimated the data around 80GB (could be more). What is more disturbing and I am not sure if its true or not. The way the data is structured it appears to have all been possibly stored on one server. This may mean all it would take is one employee to walk up to that server with an external driven and simply copy the data. This would only take about 30min or so if someone knows where to look.

    Based on what I just said. This data should have “never” been together. Normally companies have secure databases that cost millions to maintain. And HR in particular is told never to store this type of information in a single spreadsheet. Especially on a computer accessible from the outside world. Additionally the machines containing the data should have at least a 2-factor authentication system to protect the most sensitive data.

    All in all, this was a bad thing and the people hurt the most are the employees in the immediate sense. In the long term. I fully expect to see class-action suits being started. Anyone with a little bit of computer knowledge can search for the sony data online. I do urge anyone that obtains the data please keep it to yourself as this data can and will be used as evidence in any lawsuits.

    Also note that you may be signing up for being investigated if you obtain a copy (though I feel since its publicly available I am not so sure you will be).

    Last note, be sure to cancel all credit cards, flag your credit through the varius credit agencies, and for internationals I would suggest containing your embassy and ask for advisement as your international papers may have been compromised.

  5. Joan Collins says:

    As no former Sony employee has been immediately contacted, we are stuck with use your “own judgement” to review our own credit report every other month.

    The bigger question is whether all Digital Producers must now have insurance policies that cover Hack-Attacks.

    If Sony’s attack is proven to be outside of the country, and an act of terror, then how are the loses recouped?

    If the Hack-Attack came from some talented disgruntled California hackers, … who covers those loses? Not just the losses from the freely distributed movies in advance and lost ticket sales, but potential damage to the thousands of innocent past employees!
    Insurance policies anyone?

    • vfxdesignkuntekinte says:

      True there is insurance. Should at least cover credit lock or similar service. This is ridiculous. My guess is they are working on it from a complicated legal perspective and will eventually send out a letter to all former employees. Now they’ve got a 2nd job on their hands. Poor bastards. LOL

  6. Carolyn says:

    Needless to say, this news is completely unnerving. I worked at Sony from 2000-2009 and am very concerned that my social security number may of been exposed. Does anyone know how I can check if my personal information was compromised?

    I’m equally disturbed that I’ve not been contacted in any way by Imageworks. Is there anything we can do?

    • SPInsider says:

      There’s no point in wondering, you can be pretty sure that it was in there.

      While I’ve not seen all of the data like GeekTalkerTom, I’ve grepped the main lists of files for dozens of names of people who’ve worked at Imageworks and not once did it fail to return a handful of documents with their name on it.

      Anyone who set foot in that building over the last 10 years is probably in that list.

      • Carolyn says:

        Your right SPInsider. Worrying if futile – logic tells me my information is compromised. Maybe a better question is how did you guys get a copy of the data? Or how were you able to grep the files?

      • SPInsider says:

        @Carolyn, an un-anonymous source shared a private drop-box link to a virus/maleware checked version of the SPEdata.zip file. I won’t share their private link publicly, but you can find SPEdata.zip pretty easily if you google for it.

        SPEdata.zip merely contains two plain-text lists of files (not files themselves). To give you an idea of how many files they are, the two lists alone are over 200MB COMPRESSED.

        If you get access to the files (list1.txt & list2.txt) you can grep through them on any unix terminal by simply cd-ing into the directory and running the following:

        grep -i lastname list1.txt | grep -i firstname.txt

        Hope that helps.

      • Carolyn says:

        Thanks guys. I just finished doing a credit freeze with all 3 agencies:
        https://www.experian.com/freeze/center.html
        https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
        https://freeze.transunion.com/sf/securityFreeze/landingPage.jsp

        it cost me $10 each but that seems like a small price to pay. I’m also considering getting Amex’s Credit Secure monitoring.

        I have to admit I’m happy that I’m subscribed to this blog! I had not heard about this until Daniel posted yesterday.

        Thanks for the tips SPInsider! I can see the file exists in quite a few places. Are there any sites that you know of that I should avoid? I don’t want to download a virus or something malicious.

        C.

      • SPInsider says:

        @Carolyn: I should also note, again, it’s just a list. So the only data returned will be FILES that exist with your name on them, not the contents of the files. But you’ll surely find a handful of files with your name on them (most likely deal memos and such)

      • SPInsider says:

        Whoops,
        grep -i lastname list1.txt | grep -i firstname.txt

        should have been
        grep -i lastname list1.txt | grep -i firstname

        But I assume most people on this site know how to grep.

    • John says:

      Is this the first time so many prominent, highly paid people got exposed with EVERYTHING? When Target or Home Depot got hacked, social security numbers where safe…
      Now anyone can try to open accounts using those IDs. Great times… NOT…

  7. John says:

    BTW, freeze your credit reports people asap. There is no other working way of defending yourself.

  8. MadBadAndDangerousToKnow says:

    These are strange days indeed. This is to anyone who may know: I applied to a couple positions at SPI in 2011 and later in 2013-2014, with the second one being for Vancouver position. Are any of the items of personal info ones that came from an application for employment? The second time I applied, the process went quite far and I did furnish personal info that included my SS, DOB, etc. Did any of the info that was released include job applicant info?

  9. Just to give an update. I only searched for my data within the data I was able to obtain. After that I did a purge of the data using a software that shreds that data (lots out there just check google if you are interested). I wanted to confirm what was obtained so that I can protect myself. Once I seen my information in several files (one with more than 10,000 employees) I was more than disturbed by what they had.

    I also wanted to correct my original statement. I only obtained the first wave of data that was released containing the “HR” folder and a few other folders. The most damaging is the contents of the HR folder.

  10. bobby says:

    “I also wanted to correct my original statement. I only obtained the first wave of data that was released containing the “HR” folder and a few other folders. The most damaging is the contents of the HR folder.” Yes.

  11. Anonimous says:

    And it seems that it already happened 9 days ago !!!

  12. N.N. says:

    Fuck celebrity privacy. They don’t deserve it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: