What the Sony Hack Means for Your Paycheck

Payroll Red Alert Illo - P 2015
Illustration by: Paul Blow

Payroll Red Alert Illo - P 2015

All that stolen data exposed more than embarrassing emails. It also sent dozens of Hollywood payroll companies into red alert to secure their data in an identity theft economy where Social Security numbers go for $10 a pop.

This story first appeared in the March 13 issue of The Hollywood Reporter magazine.

If you happened to pass through Sony Pictures' payroll department last December -- during the height of the North Korean hack, when private emails, salary details and Social Security numbers were being dumped online virtually every day -- you might have thought you'd wandered onto the set of Hot Tub Time Machine 2. Direct deposits had been suspended, so paychecks were being printed and cut on an archaic material called paper, then sent to employees via an antediluvian delivery system known as the Postal Service. Pre-email devices known as "fax machines" were being plugged in for the first time in decades and used to send messages through copper telephone wires. That's right, wires.

Sony had been flung back to the dark ages of the predigital era, to a world as primitive as the 1980s.



Of course, a huge amount of Sony's payroll -- of every studio's payroll -- is outsourced to at least a dozen payroll services, the independent companies that handle payments to nonpermanent employees, like the directors, cameramen and actors who make the movies. How these companies were impacted by the hack on Sony's internal computers -- if at all -- is something none of them is eager to discuss. "We believe the best strategy for security is to do much privately and discuss little publicly," says a representative for Entertainment Partners, the payroll company Sony used for the production of The Interview -- the Seth Rogen-James Franco comedy about assassinating North Korean dictator Kim Jong Un that set off the hacking crisis in the first place.

Ostensibly, the payroll companies, which pride themselves on security above all else, were already employing techniques far more robust than Sony's safeguards -- although that didn't prevent hackers (presumably of the non-North Korean variety) from cracking into ART Payroll, the company that handles residual payments for members of SAG-AFTRA. That hack, which occurred right around the time Sony's computers were being compromised, was plugged within a couple of hours, but not before the perpetrators could make off with untold amounts of Social Security numbers, private accounts and addresses. "We're confident that since we caught it so quickly, they weren't able to do anything with the data," says Edward Finn, an attorney representing ART, all but crossing his fingers. "That's our hope."

Still, some post-hacking changes at the payroll companies are being made. For starters, ART and others are instituting something called "two-factor authentication" for access to sensitive information, requiring not only passwords but also a key fob or text message containing constantly rotating pass codes. "The whole industry is moving in this direction," says Michael Rose, CEO of Ease Entertainment Services, which served as the payroll company for such Sony films as The Equalizer and Paul Blart: Mall Cop 2. "The only positive thing that will come from this Sony disaster is that people are hyperaware of the need for protocols."



Ease also is adding yet another layer of security, launching a "digital ecosystem" that will store sensitive data -- from Social Security numbers to top-secret script pages -- within the com­pany's own servers, off the Internet, sealed from outside access. "We have a closed-loop security feature for studios to distribute scripts and locations, which means crews come to our site to see their work directions as opposed to getting an email," explains Rose. "Scripts can no longer be saved, forwarded or copied. These are tools studios should be using."

But even that may not be enough. Cybersecurity expert Adam Levin, founder of digital-security firm IDT911, recommends payroll companies also incorporate biometrics -- voiceprints, fingerprints and retina scans -- to ensure that only the proper eyeballs get access to certain information. "Every one of [the payroll services] is on notice," he warns. "If they don't want to end up on the scrap heap of history, they need to evolve."

No matter how evolved they become, however, payroll services always will remain a prime target for hackers, simply because the type of information they keep on their servers can be so profitable on the black market. Social Security numbers can fetch up to $10 apiece, which doesn't sound like much until you do the math. During the Sony hack, 47,426 Social Security numbers were compromised -- that's a street value close to $500,000 (although prices fluctuate; they dropped after massive hacks of Anthem, Target and Home Depot flooded the market with stolen Social Security numbers). Sony's solution of turning back the clock and taking its internal payroll completely offline isn't a sustainable security strategy, at least not for the payroll companies. On the contrary, despite the hack, the movement among payroll companies continues to be more and more toward digitizing data. "It's too costly to keep information in boxes," says Rose. "If paperwork isn't digitized, you'll continue to have Social Security numbers sitting in boxes on the set. That's not secure."



For those whose numbers were stolen during the Sony and ART hacks, there's some comfort in knowing that both companies are providing identity protection services to monitor employees' credit and financial patterns for potential problems -- but not a lot. Those protections eventually will expire -- the companies are paying only for two to five years -- meaning that victims of the 2014 hacks may find themselves even more vulnerable in 2020 than they are today. "Social Security numbers don't expire," says Todd Feinman, CEO of identity protection firm Identity Finder. "Five years from now, the data is just as valuable, and the victims are less likely to be monitoring their credit."

All of which is so nerve-wracking for some Sony employees that they've formed an invitation-only online support group for victims of the hack (you get invited to join via email -- some people never learn). Currently there are 4,393 members, including Cassandra Giornali Sorrell, a 14-year former Sony employee who has since hired IDT911 to protect her identity. Last December, during the hack, she discovered that someone was using her Social Security number to refinance a mortgage under her name (at one point, her bank also shut down one of her credit cards). "I felt sick to my stomach," she tells THR, adding that she was so paranoid that she constantly monitored her accounts on her cellphone, to the point that she got pulled over by a cop while checking her bank statement at a red light. "He let me off without a ticket after I told him I was involved with the Sony hack and was freaking out."

She and a lot of others are still freaking out. "We're going to be looking over our shoulders for the rest of our lives," she says.

Source: Dell SecureWorks