Above video by Sinelab
A cyber-invasion brought Sony Pictures to its knees and terrified corporate America. The story of what really happened—and why Sony should have seen it coming. A special three-part investigation.
Part 3: The cyberbomb is detonated
“Pay the damage, or Sony Pictures will be bombarded.”
From the outset, the management and employees at Sony Pictures didn’t have a clue as to what hit them—or what was on the way. The studio’s initial public comment on Nov. 24 was a marvel of understatement: “We are investigating an IT matter.”
The invaders had spelled out their intentions in the scrolling text that accompanied the scarlet skeleton. “Hacked By #GOP,” it read. “We’ve already warned you, and this is just a beginning. We continue till our request be met. We’ve obtained all your internal data including your secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world.”
Exactly what “obey us” meant wasn’t clear. The initial message from the hackers, who later identified themselves in emails to selected reporters as the “Guardians of Peace,” also praised another group: “Thanks a lot to God’sApstls contributing your great effort to peace of the world.”
As it turned out, “God’sApstls” had emailed Lynton, Pascal, and three other Sony (SNE) executives three days before the attack, demanding a payoff. “We’ve got great damage by Sony Pictures. The compensation for it, monetary compensation we want. Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You’d better behave wisely.” The menacing messages did not specify how much of a payoff was being demanded. Sony executives forwarded the email to the FBI, according to spokesperson Lawson.
Neither “God’sApstls” (which was never heard from again) nor the GOP had mentioned The Interview.
Hours after Sony’s computers went dark, Nicole Seligman notified the FBI. That afternoon a team of agents from the agency’s Los Angeles cybersquad arrived on the lot. Sony also retained forensic investigator Mandia.
Inside Sony Pictures, employees were left to work with pens and paper. The studio issued 190 BlackBerrys (BBRY) to key employees. Shops on the lot took only cash. “It is possible that some or all of this disruption will continue over the Thanksgiving Holiday,” the studio advised them. “We appreciate your efforts to find work arounds.”
Then, starting on Dec. 1, after again alerting reporters through emails, the hackers began dumping heaps of stolen documents, many of them deeply personal, onto file-sharing sites. The first batches included confidential performance evaluations, family medical records, criminal background checks, disciplinary memos over workplace affairs, passport information, and salary details for everyone at Sony. The studio had maintained little control over even sensitive information prized by identity thieves. Analysis by a data protection firm called Identity Finder found, for example, that Sony had left Social Security numbers for 47,426 people (including many who hadn’t worked at the company for years) in more than 600 files lacking password protection or encryption.
More dumps followed, one every few days, each triggering a new crisis as reporters pored through Sony’s business and, especially, its dirty laundry. “It was a nightmare,” says one executive working on the studio lot. “Just when you think you’d gotten over one—it was starting to get quiet and calm—boom, you’d get hit with something else that was even crazier.”
Pascal’s email exchanges with producer Scott Rudin proved especially cringeworthy and were widely disseminated in the press. They included nasty comments about celebrities like Angelina Jolie (Rudin called her a “minimally talented spoiled brat”); insensitive banter about President Obama’s presumed taste for black-themed films (“Should I ask him if he liked DJANGO?” she wrote); and knockdowns over their film deals (“Do not fucking threaten me,” Pascal warned Rudin at one point. As she routinely did, Pascal forwarded this last exchange to Lynton, who scolded: “You are both crazy to put this in an email.”)
After the embarrassing headlines, Pascal issued a public apology, then sought forgiveness in meetings with Sony employees and the Rev. Al Sharpton, who had threatened to demand her head over the Obama comments. “I feel like I’ve been raped,” she privately told a studio visitor. “And I was blamed for it.”
Sony tried vainly to bottle it all up. In mid-December the studio retained attorney David Boies, who warned 40 media organizations (including Fortune) not to use the stolen information or they would be held “responsible for any damage or loss.” Boies asserted the documents were, variously, “private,” “confidential,” and “trade secrets,” and protected under an array of U.S. and foreign legal doctrines. Many news outlets, including the Wall Street Journal, Bloomberg, and Reuters, published articles using the emails nonetheless. (Boies even wrote Twitter (TWTR), seeking to shut down Val Broeksmit, leader of an indie band called Bikini Robot Army, whose tweeted screenshots of hacked Sony emails had won him 19,000 followers. Twitter suspended his account for just a day. Broeksmit, who was contacted by Boies, blew him off.)
That was all a sideshow. Sony’s biggest problem was The Interview. The media first raised the prospect that North Korea had hacked Sony because of the film on Nov. 28, four days after the attack. The GOP made no reference to The Interview until Dec. 8, when it demanded that Sony, having “refused to accept” its previous terms, “stop immediately showing the movie of terrorism.” Rogen and Franco, meanwhile, had continued their promotional tour, maintaining the studio’s line—as Rogen put it on Good Morning America on Dec. 15—that The Interview “wasn’t meant to be controversial in any way.”
The GOP intensified its threats. It had already made ominous statements about the safety of studio employees’ family members if its demands were not met. Then, on Dec. 16, the hackers, vowing a “bitter fate” for “those who seek fun in terror,” claimed it would attack movie theaters screening the “awful movie Sony Pictures Entertainment has made. The world will be full of fear,” they warned. “Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time.”
The outrageous statements, made by an anonymous group seemingly able to wield great power, had their intended effect. Fear gripped the movie world. All five big theater chains, citing security concerns but also scared of ruining their holiday box office, told Sony they wouldn’t show the film. The Interview had been scheduled to open on 3,500 screens. Lost in the anxiety: word from the Department of Homeland Security that it had “no credible intelligence to indicate an active plot against movie theaters.”
On Dec. 17, Sony issued a statement, saying it was “deeply saddened at this brazen effort to suppress the distribution of a movie” and insisting, “We stand by our filmmakers and their right to free expression.” But Sony wasn’t standing by the movie; it was shelving it. “In light of the decision by the majority of our exhibitors not to show the film,” the studio announced, it was scrapping the Christmas release.
Lynton would later insist that the chains’ withdrawal had left him with no choice, commenting: “This was not our decision.” In fact, a group of at least 150 independent theaters were eager to show the movie. Tim League, CEO of Austin-based Alamo Drafthouse Cinema, says he quickly notified Sony that his 19-location chain wanted to show The Interview, as did other members of the Art House Convergence, made up of theaters across the country. But Sony refused to let them have it.
Late in the day on Dec. 17, when journalists asked about releasing the film through video on demand (VOD) or streaming services like Netflix (NFLX) —a way to bypass the threat to theaters—the studio issued a second statement ruling out any option: “Sony has no further release plans for the film.”
A day later the hackers demanded that Sony also yank “everything related to the movie, including its trailers.” The studio did this too, pulling TV advertising, canceling press screenings, even abandoning promotional Facebook (FB) and Twitter accounts. (Sony’s spokesperson says, “This was not an effort to appease hackers. There was no national release so the prudent thing to do was to stop the marketing efforts.”) The Interview, the press reported, wasn’t to see the light of day. The hackers had won.
“Good thing they didn’t publish The Satanic Verses.”
It wasn’t understood at the time, but commercial considerations, not just fear, were shaping Sony’s actions. With the film’s hefty marketing budget mostly spent, Lynton was desperate to avoid eating a $65 million investment. He also wanted to calm panicked employees. Lynton opted not to release the movie immediately.
Hoping the big chains would reverse course (or agree to an alternative date), Sony was reluctant to permit a narrow art-house release, which would generate a pittance in box-office revenues. And if Sony moved forward with video on demand, the big chains—which insist on an exclusive viewing window—would never screen the film. The “no further release plans” statement would have reassured the chains, surely furious about rumors of VOD, buying time for Lynton to get them back onboard.
Over the 48 hours after it pulled the film, Sony again became a target, as critics from Hollywood to Washington voiced alarm that the studio had caved. “Sony’s decision to pull THE INTERVIEW is unsettling in so many ways,” tweeted writer Stephen King. “Good thing they didn’t publish THE SATANIC VERSES.” At a press conference on Dec. 19, President Obama blasted Sony, saying the studio “made a mistake.” Added the President: “We cannot have a society in which some dictator someplace can start imposing censorship here in the United States.”
By this point the calculus had shifted. There was no sign of movement among the theater chains. Lynton had begun secretly exploring the VOD option as a backup immediately after canceling the Christmas release. But he had no takers; online services were reluctant to make themselves the hackers’ next target. Sony could have offered the film on its own PlayStation Network, but it was also worried about security. (Both PlayStation and Microsoft’s Xbox Live (MSFT) would face cyberattacks on Christmas Day; a group calling itself the Lizard Squad claimed responsibility.)
Conspicuously absent from the media since the hack, Lynton appeared on CNN hours after the President’s comments, giving the first “exclusive” interview to Fareed Zakaria, a friend of Lynton’s. There the CEO insisted, “We have not caved … we have persevered, and we have not backed down.” Sony, he said, remained committed to distributing The Interview as soon as it could find a taker. “There has not been one major VOD—video on demand distributor—[or] one major e-commerce site that has stepped forward and said they are willing to distribute this movie for us,” Lynton told Zakaria.
By Dec. 24, Lynton had given up altogether on the national chains—and found takers for VOD. Sony would allow the art-house theaters—ultimately, more than 300—to screen The Interview on Christmas Day. And he’d enlisted both Google and Microsoft, who’d first beefed up their cyberdefenses, to air the film on their VOD platforms. Starting that day, it would be available on Google’s YouTube (GOOG) and Google Play and Microsoft’s Xbox Video. Sony initially wanted to set a premium price—$17 for a 24-hour rental, Microsoft officials say. But ultimately, the studio recognized that would be another PR mistake and cut the price to $5.99 while touting the release as evidence of “our commitment to our filmmakers and free speech.”
“Very high confidence” North Korea was to blame.
Whodunit? Twenty-five days after the hack, the FBI attributed the Sony attack to North Korea. The determination came extremely fast, and it was rare for the agency to identify a government as the culprit.
In a written statement and public comments, FBI officials cited similarities to the DarkSeoul episode, evidence that the Sony malware was constructed on computers with Korean language settings, Internet staging points for the attack, and—most intriguingly—intelligence from “sensitive sources and methods.” At a Fordham University cybersecurity conference, FBI director Comey said he had “very high confidence” in this conclusion. (The New York Times later reported that U.S. intelligence, spying on North Korea, had found evidence of its role.)
Yet many experts remain unconvinced. It is easy, they note, for hackers to plant false clues. If the attackers’ target was really Rogen’s movie, why hadn’t they mentioned it right away? How would North Koreans know what data to leak? How could they so skillfully navigate Sony’s network? And why had they fallen silent after the release of The Interview?
“It’s a dogpile,” says Stuart McClure, CEO of cybersecurity firm Cylance. “ ‘Well, that one is North Korea, and this one looks like it, so it must be North Korea.’ There’s no objective evidence.”
Moreover, in the wake of revelations of secret government data gathering revealed by Edward Snowden, denizens of the electronic world are disinclined to take the government at its word. (The FBI has declined to make its evidence public.) Says Fordham law professor Joel Reidenberg, an information technology scholar who attended Comey’s speech: “It was sort of ‘Trust us, but we’re not going to let you verify.’ ”
All this fed an alternative theory: Like an estimated one-quarter of cyberattacks, the Sony hack was an inside job. The most elaborate advocacy of this came from Norse, the firm that visited Sony to pitch its wares before the attack. Norse said its own investigation implicated a few bitter, laid-off Sony employees with IT savvy. On Dec. 29, Norse executives arrived at FBI headquarters in Washington to lay out their reasoning in a three-hour meeting. Immediately afterward the FBI issued a public statement, insisting there was “no credible information” to implicate anyone but the North Koreans.
Among the initial skeptics that North Korea was to blame: Amy Pascal, who didn’t want to believe the film she backed had led to so much devastation. On Jan. 21 she met privately with Norse too, sitting down with her husband in their Los Angeles home to hear Stiansen detail his theories. Pascal later told a visitor that “for the longest time, I thought it was employees.” Since then, Pascal has told friends, she is uncertain what to think. Norse officials say they now believe North Koreans pulled off the attack with “some assistance” from former Sony employees.
For Pascal, being studio chief hadn’t been much fun for a while. But she wasn’t ready to give it up, even after the public humiliation of having the world read her emails. After returning in late December from a family trip to Vermont, Pascal renewed her push for a new contract, which she’d told the company would be her last. She had made $47 million over the previous four years, and she wanted a comparable deal. She had been in negotiations with Sony for a new agreement since June.
But Lynton wasn’t ready to move forward. After all, the film slate—the ultimate measure of Pascal’s performance—hadn’t met expectations for the past two years. And there was another consideration. As Lynton saw it, the events of the hack seemed to have traumatized her. Pascal hadn’t been visible around the studio much since Christmas, an emotional time for everyone, he told others. To Lynton, this lack of leadership had irreparably damaged her standing with employees. (Pascal has privately called this account “nonsense.”)
So in late January, when Pascal demanded a final answer, Lynton decided it was no. He conferred with Hirai about the move. Then, on Saturday, Jan. 31, he met with Pascal at her home. He wasn’t going to offer her a new contract as studio chief, Lynton told her. It would be better for her to become a big producer for Sony, an option they’d also been discussing. According to a Pascal friend, she was “shell-shocked.”
Pascal’s departure was announced the following Thursday. In a press release both sides cast her departure as her decision. But at a women’s conference in San Francisco days later, Pascal bluntly declared that she’d been “fired.” Still, she’d enjoy a gentle landing, helping produce some of Sony’s biggest films, including Spider-Man. Depending on how they perform, insiders confirm, Pascal’s package will give her $30 million to $40 million over four years plus a percentage of the profits her movies generate. In February, Lynton named Tom Rothman, a budget-conscious former Fox chief who’d been running Sony’s TriStar brand, as her replacement.
Lynton recommitted himself to Sony. He signed a contract extension in February. While his wife and daughters would be moving to Manhattan, he would commute between the two coasts. “You may have heard this rumor that I’m moving,” he assured employees at an all-hands meeting on Feb. 25. “I’m not.” Added Lynton: “I am here to stay.”
The Interview made one additional bit of history. After several days on VOD passed with no calamitous consequences, other online providers, including Apple (AAPL), PlayStation, then Netflix, began offering it. So far it has brought in more than $40 million on VOD, in addition to $12 million in theaters worldwide, making it Sony’s biggest digital seller ever, though still a loser for the studio.
The financial calculus is grimmer if you add in the out-of-pocket costs stemming from the hack: $41 million through the end of March, according to the company. That’s a bearable sum for a company of Sony’s size. But there are a lot more costs to come. In addition to expenses for investigation of the attack, IT repairs, and lost movie profits, Sony faces litigation blaming it for poor cybersecurity that exposed employees’ private information. Seven cases have been consolidated into a proposed class action in Los Angeles federal court.
As Sony struggles to repair its reputation, it has also undertaken the challenge of reconstructing its blitzed computer network, this time with an array of precautions to resist—really resist—the next assault. Sony’s “secure rebuild” strategy is expected to take a year, slowly returning the studio to normalcy while plugging the myriad weaknesses that its attackers so readily exploited.
The plan’s premise is zero trust. It imposes precautions that Sony wouldn’t previously countenance because they were too inconvenient and expensive. It’s aimed at keeping bad guys out, preventing them from reaching anything valuable if they get in, and blocking them from stealing it if they do.
To resume operations safely, Sony began by building an entirely new “white network,” completely segregated from the potential contagion of its old “black network.” At the start Internet access was tightly restricted. Sony will keep as little information as possible on its active network; the rest will be stashed securely, encrypted and cut off from the Internet. Emails will be archived after just a few weeks. System administrators will have access only to areas required for their jobs. Employees will be barred from installing applications that aren’t pre-approved. Sony will require everyone to use two-step login procedures. Firewalls will be put on the most restrictive settings. The studio will embrace an array of “next generation” cyberdefense technologies.
If implemented, it will represent a major step-up in cybersecurity for Sony. Will that be enough to prevent another cataclysm? Cyberexpert Lewis says that’s the wrong question. “Think of it as a continuum of risk,” he says. “You can do nothing, and you’re at 100% risk. Or you can do a lot and you can get the risk down to 10% to 15%.” The company was much closer to 100% risk last year and is heading much lower. That is undeniable progress. Now all Sony has to do is find a way to stop antagonizing hackers—and vindictive dictators.
A version of this article appears in the July 1, 2015 issue of Fortune magazine.