An employee of Sony Pictures Entertainment outlines what they went through following North Korea’s alleged cyber attack on the company.
An employee* in the Los Angeles office of Sony Pictures Entertainment SNE 0.05% opened up to Fortune about the personal ordeal they went through following revelations of North Korea’s alleged cyber attack on the company. What follows is their words, condensed and edited for clarity.
The Monday before Thanksgiving, we all came to work. Some people had turned on their computers and were working. At around 8:15 a.m., that black screen of death came on.
They shut down the entire network. We couldn’t really work the rest of the week, which seemed OK because it was a holiday week. But as Tuesday and Wednesday progressed, it became clear that this wasn’t a simple hack.
Over Thanksgiving, I joked about it. We all thought it might take a while to get our work life back—files, things we have to do before the end of the year.
It wasn’t until Monday or Tuesday of the following week when we realized the extent of it. That’s when we got word that it might take weeks to get back up. Things became more clear when it was revealed what information was released. Around Wednesday or Thursday, people started saying: call your bank, change your passwords, set up a new checking account.
I was completely irate. Once it got personal, it was just, are you kidding me? Seeing the faces of colleagues with families—they’re worried about their life savings, their retirement funds, their kids.
And the blogs were the ones giving us all the information. We got more information from blogs and websites than we did from Michael [Lynton, CEO of Sony Pictures Entertainment] and Amy [Pascal, co-chair of Sony Pictures Entertainment].
The company provided us with All Clear ID, which is a security monitoring firm, but some people said that LifeLock was the way to go, and I decided to get it. There’s a reason you pay [$29.99 a month] for it.
That weekend, I set up alerts on all my bank accounts and credit cards. I get a text message about every transaction, and the [smartphone] apps send me notifications on my home screen anytime there’s a charge.
I changed every single password. Five for banking and credit cards. Then for my 401(k), health insurance, three email accounts, and Facebook. I changed them for Amazon, eBay, PayPal, and other shopping sites. In all, it was probably 25 to 30.
A few days later, we were on loaner laptops, pen and paper, recreating PowerPoints, re-creating databases. All the things you’d need when you’re working on any kind of business deal. Word documents, contracts, PDFs. We chugged along. We did as much as we could. But there were certain days that people had to leave the office to do what they had to do personally.
Going forward, I want to know that I won’t get a random $500 charge. I decided that I’m never going to access any of my financial accounts on my work computer ever again. If I need to do something urgently, I’ll use my smartphone, or I’ll go home and do it. It’s not worth the risk.
Some people have gone a little overboard, changing their passports and things like that. For me, money and keeping my finances secure is most important.
It’s taken a toll, mentally—do I have to worry about someone getting a random medical procedure with my benefits? And there’s the frustration at the way the top top brass handled the situation. Why didn’t they provide more for the employees? Why didn’t they bring in security consultants?
You read all these reports about morale being low. I wouldn’t say it’s low. You chug along. But it is like, wow, you always have to look over your shoulder. This is forever.
*The employee’s name has been withheld due to the sensitivity of the ongoing situation.
As someone in cyber security, I know there’s only so much I can do and the rest is on the part of my banks, services, etc. For any online banking or shopping I NEVER use a smartphone, I only use my computer running Fedora Linux and Google Chrome browser configured for minimal tracking and network traffic – and I only enter credit card info into known websites that I’ve verified are equipped with a patched SSL/TLS server (HTTPS). On Windows I run the White Hat Aviator browser. I NEVER email a credit card number – I had a corporate card stolen that way when my admin emailed the number to a hotel. Your passwords should be intentionally long and complex – and unique to each site – but there are techniques that can also make them easy to remember without resorting to management services. I use two-factor authentication when available.
Sadly we in the US are still using magnetic strips and not chipped credit cards (which you should request from your credit card company anyway). I always point it out at registers – I try not to sound naggy but my goal is to increase awareness – and sometimes I ask store managers to look into it.
And yes, even as someone who knows the techniques well, I have been hacked. My other tip is to always have a backup plan, such as carrying a list of phone numbers for your banks/credit cards at minimum.
Good luck and have a secure new year! Nice blog, Sherman!