Tuesday, December 23, 2014

How the Sony hacking has impacted its employees

Here's another side of the whole Sony crisis -- the impact leaked data will have on its unfortunate employees.   A good friend of mine was personally involved.  Here is his account.  Let it serve as an eye-opener and warning to anyone else who also could be affected.   Not a lot of humor in today's post but it's something you should read.  Thanks again to my friend for sharing this valuable information.  

There has been a lot written about the Sony breach lately, some of it factual, some of it comical (see SNL’s cold open on Saturday). But all the news can basically fall into one of 3 categories: 1. The hack of Sony, apparently by the North Koreans. 2. Sony’s lack of regard for data security, which is damningly apparent by Sony’s own emails, which were revealed by the hacks. 3. The unsung victims of the hack, whose private information has forever been revealed. While anyone can see humor in #1, as one member of the group of unsung victims, making fun of our plight is really unnecessary.

My spouse and I have always been aware of the need to keep private information private and we practice what we preach. My spouse, however, is a former Sony employee and, at one time or another, 6 people’s social security numbers (5 + my spouse) were provided to Sony for the purpose of their life and/or health insurance benefits. My spouse was nowhere near being included on the list of highest Sony earners that was one of the earliest releases by the hackers.

When my spouse left Sony, there was no need for Sony to keep any of their beneficiary information. Sony did so. Sony could have and should have encrypted all current and former employee data and keep it off the normal network and on a more secure network. It is apparent Sony did not follow state of the art practice regarding data security. Sony has had multiple breaches, including their PlayStation network in 2010 and a breach, which may have been a dry run, of a network in Brazil earlier this year. Regardless as to whether this was a foreign government, a really smart 11th grader or the Second Coming who hacked Sony, Sony’s data security practices point to negligence.

What has this meant for us? We have changed every login and password. We have put “two-step” verification on everything we could. Still, hackers have attempted to get into two of our accounts on multiple occasions; we know this because the two-step authentication was activated. We have evidence that social security numbers have been stolen, sold and are being used.

Sony’s answer to all of this is to provide us with AllClearID, for free, for 12 months. AllClearID has told us we are safe; however, we spent hundreds of dollars on Lifelock and that has painted a different story. We believe this will play out over years, not months. For every Sony employee who had minor children as beneficiaries, those kids “virgin” social security numbers are valuable because it will be years until fraud might be detected. What is Sony doing for the real victims – the people who had no control over their data and who were just showing up and doing a job to help one of the premier entertainment companies earn profits – in the long term? We look forward to finding out answers.

So please – make fun of Kim Jong-Un all you want, but understand that some of your friends and neighbors are unwitting victims and if they are smart, they are doing everything they can to protect themselves.

30 comments :

Matthew said...

Wow, that's awful. Yet another reason why linking health insurance to employment is a completely brain-dead idea, too - America needs to snap that link ASAP.

MikeK.Pa. said...

Very sobering email and your friend is correct. You can change passwords and account numbers, but you can't change your SS#. A company I worked for 20 years ago used SS# as the employee ID, which was really stupid, especially when filling out expense vouchers with your SS# on paper.

With all the bank data breaches, there's no excuse for corporations not doing standard security measures like encryption and securing outlying parts of their network (like vendors). Data breach is akin to having your car or home invaded, only with longer lasting impact and uncertainty.

Hopefully the media's attention will move to this aspect of the hacking story and more scrutiny and pressure is put on companies to do more to secure employee/customer information. I haven't used anything but cash at Target and Home Depot - the few times I've gone - since their data breaches.

Carla said...

Meh. These people have money. And these particular ones have four kids. Did they really need more than two? Or any, for that matter? If they're not lazy nothing will come of it. Do a story about some poor people suffering identity theft and not having money to hire "life lock" and I'll put this violin back in its snuffbox case.

Billy said...

Wow! Carla is heartless. Maybe something like this should happen to her (or him) so the violins can start playing.

Kosmo13 said...

Twenty years ago I worked for a radio station that ran a lot of contests. In the studio was a logbook where the air personalities were supposed to write the names and contact information of contest winners.

One question management wanted us to ask the winners was their Social Security Number and write it in that notebook that dozens of people had access to.

Most of the DJ's did not even ask the winners their SSN and eventually management had a hissy fit. Executroids are clueless.

Scott Cason said...

And to make your day even brighter, for every "Sony", there are 100s of other companies just like them. Our information isn't safe anywhere anymore. I'd be willing to bet I have better security on my home network than half the enterprise users do.

Richard Y said...

We have been told for eons to NEVER carry our SS card in our wallets/purses. Then what does the Govt do when individuals applying for their Medicare cards get? Their ID card with their SSN on it followed by some random number - that MUST be carried in their wallets/purses.

Barry Traylor said...

How truly awful.

Johnny Walker said...

I'm also a former employee of Sony, and I work with the internet, often in the area of security. I am also friends with employees of Sony at the time of the breach. I'm a little confused by your account, to be honest.

It sounds dreadful, but what accounts are you referring to, when you say that hackers have attempted to break into them, may I ask? Bank accounts? Twitter accounts? Email accounts? It's very difficult to understand what you're referring to.

With regards to your children's SS#'s, the good news is that the SSA is aware of which numbers were leaked. It will be very easy to spot fraud when they're looking for it. It will be a hassle if it happens, of course.

I would be very cautious about catastrophizing what's happened here. The chances are that no long term damage will come to any of us. Perhaps some inconveniences, sure, but no real lasting damage.

For Sony itself however, time will tell...

Unknown said...

Everyone, not just Sony employees should freeze their credit.
http://www.clarkhoward.com/news/clark-howard/personal-finance-credit/credit-freeze-and-thaw-guide/nFbL/

blinky said...

Movie plot idea: Giant heartless corporation does stupid stuff, only cares about wealthy executives, little people get hut, add Seth Rogan and hilarity ensues.

Anonymous said...

I could be wrong Johnny but I don't think Twitter and email accounts have two-step verification. I thought it was very clear.

The Bumble Bee Pendant said...

Happy Festivus to all.
I hear some people airing their grievances in the comments section.
I also hear some people not caring about other's situations. No Christmas spirit at all??


Identity theft is real for many people. Hopefully no one on this blog or else where will feel this sting.

Let's face it. Thousands of people have access to your SS#. And address. I'm not talking about thieves. I'm talking about financial companies, investment firms, credit card companies, banks and all their associates can pull up your personal ID and use it. Thankfully 95% (unscientific #) of the people in this world are not crooks.

Happy Hanukkah to all. Happy Christmas. Happy New Year.

Be positive. Laugh. Smile. And be the person that makes any grinch's heart grow 3 sizes.

Phillip B said...

Sony's case may be ground breaking as the class action suit filed by their employees plods through the justice system. But it is about time that we all hold those people and organizations who demand our data accountable for keeping it safe.

In one personal case, an organization mindlessly demanded my SS# as part of a job application. The organization was hacked and it turned out they had saved all the data from job applications for more than a decade on their server. So an enlightening hour interview learning I would not be considered for employment turned into the knowledge that my #SS was one more than 50,000 taken in the breach.

There was no reason to save that data, and if it was saved there was no reason to have it on the server. And if it was on the server reasonable steps should have been taken to protect it.

When I was lucky enough to be employed my new employer required my #SS number, my driver's license #. my passport #, my fingerprints and consent to conduct and archive a credit report and a criminal background check.

Was my job important enough to require all of that? I doubt it. And past experience would indicate it is being archived in a way that is subject to being hacked.

Wendy M. Grossman said...

My sympathies. One of the worst things about modern privacy invasions is that we have so little control over what data we are forced to share with people/organizations that may not be at all worthy of our trust.

I have seen very little coverage of the situation of the employees, but it's struck me from the beginning as the worst aspect of all this. Gizmodo had a piece that Bruce Schneier highlighted; I wrote something myself.

It seems to me one appropriate measure is for the Social Security Administration to issue new numbers, certainly to the kids.

Btw, I remember reading not long ago that so many - 90% - of the South Korean national IDs have been compromised that the government there will need to spend $1 billion issuing new numbers to the entire populations.

wg
PS The captchas were truly impossible today.

Johnny Walker said...

I remember having to have a physical just to work in a call centre in Los Angeles. I thought that was pretty extreme for a job where I was just answering phones!

In other news: Common sense has prevailed, Sony are going ahead with their release of THE INTERVIEW.

MikeN said...

Yes, and in the future they will require you to attend health clubs, or charge you a fine for not doing so. Built into ObamaCare, though for now the EEOC is suing companies that actually take advantage of that provision.

Winston Churchill said...

You can always count on Americans to do the right thing - after they've tried everything else.

Barefoot Billy Aloha said...

From Chaplin's The Great Dictator to Mel Brooks' The Producers...the best weapon against tyrants is humor.

I'll be first in line when The Interview hits town.

Greg Ehrbar said...

Good grief, Carla. People with four kids have LESS money, not more. Have you seen their bank statements? How can anyone assume such things?

In a big company like Sony, there are haves and have-nots, just like in life. And--here's the kicker, Carla--no one's income should have an impact on our feeling about their various plights and that of their kids.

Frankly I think it is that very "who cares about them?" attitude that is just as bad as anything else plaguing our world today. Do the hackers care any more or less about these people as you do?

I don't agree with George Clooney's action, but maybe he can redeem himself by mobilizing his connection to bring safeguard systems to people like these Sony employees.

And then maybe the President can sign into law a mandate that all companies must protect the lives of their employees with the best systems and backups possible.

Anonymous said...

If the North Koreans are truly threatening to bomb theaters playing a movie starring James Franco and Seth Rogan, it's a clear indication that the Koreans have no comparable word for "triple oxymoron."

Because they're bombing a bombing bomb that's set to bomb, that's why.

VP81955 said...

The sad thing about all this is that a stupid, raunchy comedy is getting several times the publicity as "Selma," a film that from all accounts is a reasonably good re-telling of one of the flashpoints of the civil rights movement (and managed to convey what Dr. Martin Luther King was all about despite lacking legal access to many of his famed speeches). If I go to a movie in Los Angeles tomorrow, you can be sure it will be that one, not "The Interview."

Carson said...

Greg, What did Cooney do that was wrong? He has none to redeem himself. I saw a chance to gather Hollywood band together in support of our right to free speech and not cow-tow to terrorists of any stripe. He was wrong to do that? I don't think so and either does anyone else.

The one thing George got wrong was that he thought the studios cared about freedom of speech. But the corporations that own the studios don't. They care about their bottom line, and since the studios are all owned by multinational conglomerates, it's not about freedom to create. It's about commerce.

Anonymous said...

Carson Said:

"Greg, What did Cooney do that was wrong? He has none to redeem himself. I saw a chance to gather Hollywood band together in support of our right to free speech and not cow-tow to terrorists of any stripe. He was wrong to do that? I don't think so and either does anyone else. "

Carson, what Clooney did wrong was deciding to run with the mob. It's in no way conclusive that North Korea had anything to do with the hacking. Furthermore, it's highly unlikely they did.

How many times has "the internet" decided something was true, when later facts established that the conclusion was false?

Many, many, many, many times.

Enough so that Clooney is a qualified self-involved idiot for even thinking he was making a moral, ethical decision to try to corral and shame his colleagues.

You don't try to pull that unless you know exactly what you're talking about, and Clooney does not. Yet he's dragging other people into his fantasy world.

That's what Clooney did that was wrong.

Carla said...
This comment has been removed by a blog administrator.
VP81955 said...

If Clooney had said Sony never should have greenlighted "The Interview," that would have shown courage.

Thomas said...

Sony is among the worst cooperations in the world. If you work for the devil, you'll get burned.

Carla said...
This comment has been removed by a blog administrator.
Anonymous said...

You're a foulmouth slut don't you have anything better to do on xmas? You have probably been spreading it around for money since junior high Carla.

Kathy Anderson said...

Thanks for this post. All of this stuff going on with Sony and North Korea is just ridiculous, and I had no idea what to think about it. I did some research though, and I definitely agree with what you're saying here.