“They Burned the House Down”: An Interview with Michael Lynton
Michael Lynton’s “Black Swan” materialized late last year, when someone—the U.S. government says it was North Korea—pulled off the most devastating hack in corporate history. Lynton, the CEO of Sony Pictures Entertainment, had to look on as highly confidential company information—salary details, private e-mails (some of them harshly critical of top Hollywood talent), unreleased movies—was leaked for all the world to see. For good measure, the hackers wiped out huge amounts of data on the company’s servers.
The attack pushed a reluctant Lynton to the forefront of U.S. foreign relations when the hackers threatened retaliation if The Interview, a Sony Pictures comedy set in North Korea that includes the assassination of Kim Jong-un, was released. Fearing reprisals, many theaters declined to screen the film, and Sony had to look for alternative distribution. President Barack Obama weighed in, chastising Sony for what he viewed as caving to Pyongyang’s pressure. The R-rated bro film had suddenly become a First Amendment icon.
How does an institution make it through all that? How does it sustain its culture, and retain its talent, as each salacious, embarrassing, top-secret bit of information spills out into public? I visited Lynton in his sumptuous office at Sony Pictures’ fabled art deco complex in Culver City, California, to talk about the experience. He seemed unguarded and optimistic, freely acknowledging the difficulties Sony faced in the weeks after the attack, yet sounding hopeful that the company had made it through intact.
Attacks like this may well be the new normal. Lynton says he can only hope that his company’s nightmare will serve as a wake-up call for other U.S. businesses. —Adi Ignatius
HBR: Let’s go back to the end of last year. Sony had just been hacked. What were your first thoughts?
Lynton: I was on my way to work. It was about 8:00 in the morning, and our CFO called to say that we had been breached. By the time I got to the office, the whole studio was off-line.
And that was just the beginning.
Yes. We received a series of threatening messages warning of a data dump of the information the hackers had stolen, and then the disclosures began. Soon we were dealing with a few things at once. We were trying to keep the business operating. We were dealing with employees who feared their information would be made public. We were dealing with the press, which was publishing some of the e-mails. And then we had the FBI coming in to do forensic analysis.
You were known as a CEO who tended to delegate. Did that change?
Yes, my role changed radically and quickly. The crisis required me to be very hands-on. We set up a command central to ensure that all decisions were made with my understanding and knowledge and approval. That basically became a full-time job, which meant everybody else had to operate the business—which they did, very successfully.
What went into setting up the command central?
The first thing was to establish a means of communication in the absence of e-mail. We were basically analog for a while. We had phones, and that was it. So we set up texting trees and then turned to our employee notification system. That meant we could centrally text our employee population, which we did frequently.
Was this just for crisis-related communications, or to sustain business as usual?
It was for business as usual, making sure people could communicate with one another about the stuff we do on a daily basis—making movies, making television shows, ensuring that everything gets distributed. Then we needed to create a temporary e-mail system. And we had to set up systems to make payroll, pay vendors, and so on. Making payroll alone was a monumental task: The finance department hauled old machines out of the basement to cut checks.
Nightmarish Days: A Timeline of the 2014 Sony Hack
NOVEMBER 25: SPE’s top two executives, Michael Lynton and Amy Pascal, first communicate with employees to commend their hard work while the company strives to resolve the system disruption.
DECEMBER 2: Lynton and Pascal e-mail employees acknowledging that a brazen attack has occurred and stating that SPE is working closely with law enforcement officials.
DECEMBER 5: Certain SPE employees receive an e-mail from someone claiming to be a GOP member, demanding that they disassociate themselves from Sony, and threatening, “If you don’t, not only you but your family will be in danger.”
DECEMBER 6: Lynton forwards an e-mail from the cybersecurity expert Kevin Mandia to all employees to explain the nature of the attack: “This was an unparalleled and well-planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”
DECEMBER 7: The Korean Central News Agency describes the attack as a “righteous deed” but dismisses reports of North Korean involvement as a “wild rumor.”
DECEMBER 8: The GOP posts a message demanding that the studio “stop immediately showing the movie of terrorism which can break the regional peace and cause the War” and linking to sensitive information stolen from SPE.
DECEMBER 11: Pascal issues an apology after her personal e-mails are made public. Sony stages a quiet Los Angeles premiere for The Interview.
DECEMBER 14: David Boies, outside counsel for SPE, writes to journalists reminding them that the leaked material is “stolen information” and calls on media outlets not to read or publish any SPE documents in their possession.
DECEMBER 15: Lynton calls an “all hands” meeting to tell employees they “should not be worried about the future of this studio.”
DECEMBER 15–16: Two separate class-action lawsuits are filed on behalf of former and current employees alleging that Sony did not do enough to safeguard their private information.
DECEMBER 16: The GOP posts a 9/11-type threat against moviegoers who try to see The Interview when it’s released on Christmas Day. Major theater chains start to cancel screenings.
DECEMBER 17: SPE decides not to move forward with the movie’s planned nationwide theatrical release the following week. Lynton and SPE executives begin reaching out to potential digital distribution partners, including Google.
DECEMBER 19: The FBI publicly states that North Korea was behind the attack. President Obama, too, attributes the attack to North Korea. Obama calls canceling the theatrical release “a mistake” and adds, “They should have called me.”
DECEMBER 22: North Korea experiences a 10-hour internet outage; connectivity problems continue for days.
DECEMBER 23: SPE announces that The Interview will have a limited theatrical release on Christmas Day.
DECEMBER 24: The Interview is released on Google Play, YouTube Movies, Microsoft’s Xbox Video, and a dedicated site run by the studio through Kernel and Stripe.
JANUARY 20: SPE announces that The Interview was rented or bought online and through cable, satellite, and telecom providers more than 5.8 million times, for a total of some $40 million in consumer sales, and that the movie has made $6 million in box office receipts through its limited theatrical release.
FEBRUARY 4: SPE says the hack cost $15 million through the end of 2014.
FEBRUARY 5: Pascal resigns.
It sounds like a nightmare. I can’t imagine seeing all my personal information suddenly made public.
Well, that was just part of it. The bigger challenge was that the folks who did this didn’t just steal practically everything from the house; they burned the house down. They took our data. Then they wiped stuff off our computers. And then they destroyed our servers and our computers.
So they had it, and you didn’t.
Correct. We had backup, but we couldn’t access it until we had computers, servers, and systems that would allow us to do so. So you have these very public e-mails out there, some of which are salacious. And then you have the challenge of operating the business when the networked services you’ve relied on are unavailable.
Containing the Damage
What did your employees need most from you at that point?
They needed reassurance. They were concerned that their personal information was out there and available, and we had to explain exactly what we were doing to protect them. Some were afraid that the company might go under as a result of all this.
“When you take a job in a movie studio, this is not what you think you’re signing up for.”
How did you reach out to them?
We held big town hall meetings, with 3,000 to 4,000 people at a time, to talk about what was happening. And we held small forums, where we brought together groups of 50 to 80 and listened to their concerns. I usually ate by myself in the cafeteria and made sure people could just come up and speak with me. Physical presence was very important. I left in the middle of all this to go to Japan for about a day and a half, because I had to make a board presentation on our budget. When I got back, our head of HR, George Rose, said, “Why have you been gone so long?” And I said, “George, I’ve been gone 36 hours.” Time felt very compressed, because things were happening so quickly.
Were your employees also angry?
Some were, yes. And once they heard that the U.S. government thought the hack was done by North Korea, some were angry that we were releasing The Interview. When you take a job in a movie studio, this is not what you think you’re signing up for.
No comments:
Post a Comment