← Back to Blog

The 47,000 People Sony Forgot: The Real Victims of the Most Devastating Corporate Hack in History

March 17, 2026

When the Sony Pictures hack broke in November 2014, the world was riveted by the celebrity gossip. Producer Scott Rudin calling Angelina Jolie "a minimally talented spoiled brat." Amy Pascal and Rudin making racially insensitive jokes about President Obama's movie preferences. Jennifer Lawrence and Amy Adams being paid less than their male co-stars in American Hustle. Unreleased films appearing on torrent sites within days.

Those stories dominated every front page for weeks. They were entertaining, scandalous, and shareable. They were also the least important part of the hack.

Buried beneath the headlines was a quieter, more devastating story — one that affected thousands of people who had never sent a controversial email, never green-lit a questionable movie, and never earned a seven-figure salary. The attackers had stolen the complete personnel records of approximately 47,000 current and former Sony Pictures employees. Social Security numbers. Home addresses. Medical records. Immigration documents. Background checks. Bank account information from direct deposit records. Performance reviews. Disciplinary actions.

This was not gossip. This was the raw material of identity theft, harassment, and surveillance — posted on the internet for anyone to download.

The Data Nobody Wrote About

The media coverage followed a predictable pattern: it chased the famous names. When a mid-level accountant in Sony's Culver City office discovered that her Social Security number, her children's names, her home address, and her medical diagnosis of a chronic illness were all searchable on the internet, that was apparently not a story worth more than a brief mention in the fifteenth paragraph.

The disparity was not accidental. Celebrity gossip drives clicks. The plight of anonymous office workers does not. But by any measure of actual harm, the exposure of employee data was the most damaging aspect of the entire breach.

The files included medical records — diagnoses, treatment histories, insurance claims, disability accommodations. Employees whose HIV status, cancer diagnoses, mental health treatments, or substance abuse histories were now public faced concrete social and professional consequences. One former employee described learning that her therapy records — including notes from sessions dealing with a sexual assault — had been included in the leaked data. "I shared those things with a therapist in confidence," she said in a court declaration. "Now anyone in the world can read them."

Salary data for every employee was exposed — not just current salaries but complete compensation histories including bonuses, stock options, and severance packages. When everyone in a company suddenly knows what everyone else makes, the result is not the rational transparency that economists celebrate. It is jealousy, resentment, and a corrosion of trust that outlasts any news cycle. Employees discovered that colleagues with similar titles earned significantly more. Long-tenured staff found that recent hires had been brought in at higher salaries.

Parents learned that their children's Social Security numbers had been exposed through dependent benefit enrollment records. These were minors who now faced a lifetime of vulnerability to identity theft before they had opened their first bank account. Domestic violence survivors who had carefully protected their new addresses discovered their location information was now searchable in leaked documents.

Fraudulent credit card applications began appearing within days of the data release. Tax returns were filed in employees' names before they could file their own. New bank accounts were opened with stolen Social Security numbers. The embarrassing executive emails were humiliating, but humiliation fades. Identity theft follows a person for years, sometimes decades.

How a Seth Rogen Comedy Started a Cyberwar

The hack itself grew from a decision that seemed routine at the time. In 2013, Seth Rogen and Evan Goldberg pitched Sony a comedy about two journalists who land an interview with Kim Jong-un and are recruited by the CIA to assassinate him. Not a fictional dictator. The actual sitting supreme leader of North Korea.

Sony said yes. The film had a proven comedy team, a built-in audience, and a premise that would generate enormous pre-release buzz. The North Korea angle was the selling point, not the concern.

North Korea's response in June 2014 — calling the film "an act of war" and threatening "stern and merciless retaliation" — was met with something between dismissal and amusement. The regime threatened to turn Seoul into a "sea of fire" on a regular basis. Parsing actual intent from performative rhetoric seemed straightforward.

But there was a crucial difference that few noticed. Previous North Korean threats had been directed at nation-states, where the calculus was mutually assured destruction. This time, the target was a specific private corporation. Attacking a country was suicidal. Attacking a company was asymmetric — low risk, potentially high impact, and deniable.

The hackers were already inside Sony's network by the time the threats were making headlines. They spent months mapping systems, identifying valuable data stores, and methodically exfiltrating between 100 and 200 terabytes of information. For perspective, the entire Library of Congress's digital collections amount to roughly 20 terabytes. The attackers did not just steal files — they essentially cloned the company's entire digital existence.

Sony's cybersecurity posture was, by the standards of the time, unremarkable — which is to say, inadequate. The company had invested heavily in content creation and treated cybersecurity as a cost center. There were firewalls. There was an antivirus system. There was a security team. The depth of defense was shallow, the monitoring was limited, and the internal segmentation that might have contained the breach was largely absent.

The Sony hack was a turning point. It was the first time a nation-state effectively went to war against a private company. When the attackers escalated to threats of physical violence against theaters, Sony pulled the film. A foreign dictator had censored an American corporation. President Obama called it a mistake. The cybersecurity world — and the calculus of corporate risk — was permanently changed.

But for the 47,000 employees whose lives were exposed, the geopolitics were beside the point. Their Social Security numbers were on the internet. Their medical records were public. And no amount of corporate crisis management or FBI attribution would ever undo that.

From the Catalog

Browse all
Loop Engineering
Loop Engineering
Designing Self-Running AI Agent Systems: From Manual Prompting to Autonomous Loops That Build, Verify, and Iterate While You Sleep
The AI-Native CIO
The AI-Native CIO
How the Executive Role Is Being Rewritten by Artificial Intelligence
Ship It With AI
Ship It With AI
How Non-Technical Founders Are Building Real Products
Belle Starr
Belle Starr
The Bandit Queen