Sony hack leaked 47,000 Social Security numbers, celebrity data

Documents leaked online include the personal information, salaries and home addresses for employees and freelancers who worked at the studio, a data security analyst finds.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
3 min read

Much of the data leaked from Sony hack was stored in Microsoft Excel files without password protection.

The security breach suffered by Sony Pictures Entertainment last month appears to have leaked far more personal information than previously believed, revealing the US Social Security numbers of more than 47,000 celebrities, freelancers, and current and former Sony employees.

An analysis of 33,000 leaked Sony Pictures documents by data security software firm Identity Finder showed that the leaked files included the personal information, salaries and home addresses for employees and freelancers who worked at the studio. Some of the celebrities include Sylvester Stallone, director Judd Apatow and Australian actress Rebel Wilson, according to the Wall Street Journal, which first reported on the analysis.

Other data identified as leaked to file-sharing networks after the breach include contracts, termination dates, termination reason, and other sensitive information, nearly all of which was stored in Microsoft Excel files without password protection, said Identity Finder CEO Todd Feinman.

Sony Pictures representatives did not respond to a request for comment.

The leak highlights the risk posed to large companies and organizations that store customer and employee information on computers attached to the Internet, Feinman said.

"This is a common theme of corporations today," Feinman told CNET, ticking off a list of recent security breach victims including Target, Home Depot and PF Changs. "They think they are protected by firewalls and perimeter security, but the border is becoming blurred, and attacks get through."

Identity Finder said it discovered in the files more than 1.1 million Social Security numbers, the US system for tracking a person's tax and social welfare, but that many were duplicates. Sony Entertainment co-chair Amy Pascal's SSN was found in 104 separate locations, while Sony Entertainment CEO Michael Lynton's was found in 93 files.

The discovery of multiple copies of data this sensitive on multiple employees' computers or multiple times on a single employee's computer is unusual and dramatically raises a company's security risk, Feinman said.

"When you have multiple copies of this data, you are giving hackers multiple opportunities to steal sensitive information when they get through," he said. "If Sony had reduced its sensitive data footprint by reducing the number of copies of data and reducing the number of employees with access to the data, we would have seen zero or only one file."

The revelation amplifies the damage caused by the hack, which forced the film and TV arm of Japanese tech and media conglomerate Sony to shut down its network for more than a week. A hacking group calling itself Guardians of Peace claimed last week to have obtained Sony Pictures' internal data, including its "secrets," and said it would release the data to the public if its demands were not met, according to reports. It is unclear what the hacker group demanded.

Following this declaration, packs of files allegedly belonging to Sony Pictures found their way online. Data including passwords, Outlook mailboxes, personal employee data and copies of passports belonging to both actors and crews working on film projects have been released.

Several days later, Sony Pictures films not yet officially released were leaked online, including the movies "Still Alice," "Annie," "Mr. Turner" and "To Write Love On Her Arms."

Since the November 24 attack on Sony's network, investigators have been working to determine who was behind the hack. Sony is working with FireEye's Mandiant forensic team to investigate the breach, along with the FBI, which issued a warning earlier this week that hackers are using malware to launch destructive attacks against businesses in the US.

The company is said to suspect that hackers working on behalf of North Korea were behind the attack, according to Recode. The site speculated that the attack may be in response to Sony's forthcoming film "The Interview," a comedy due to be released next month starring Seth Rogen and James Franco as TV journalists who become embroiled in a plot to assassinate North Korean leader Kim Jong-Un.