Game of ‘pwns’: Cybersecurity Lessons from the latest HBO Hack – Picks of the Week
Hackers Demand Millions in Ransom for stolen HBO Data | Associated Press
Spoiler Alert: Hackers Are Gunning for Hollywood | Variety
The HBO Hack Was Reportedly up to Seven Times Larger Than the Sony Hack | Vanity Fair
It seems that no one can escape cyber threats or data breaches these days – everything from political parties to the King in the North – appear vulnerable to attack.
The latest victim in a string of embarrassing and potentially highly damaging data breaches that have affected the entertainment industry in recent years is Home Box Office Inc., more commonly known as HBO. The HBO hack, first reported over the weekend, seems to be larger than initially believed, and the leaks have included internal documents, images, videos, and personal information of an HBO senior executive. Upcoming episodes from multiple shows – including Ballers, Insecures, and Room 104 – along with draft scripts of the popular Game of Thrones were also made available online. The network issued a take-down notice to Google, demanding links to the leaked information be removed, but in a new twist of events the hackers – who reportedly stole 1.5 terabytes of HBO shows and confidential corporate data – released a second dump of sensitive proprietary data and demanded a multimillion-dollar ransom from the network to prevent additional leaks.
The group of hackers delivered its ultimatum through a swaggering five-minute video from “Mr. Smith” – the name that the group is using to identify itself – to HBO CEO Richard Plepler. In short, they asked to be paid the equivalent of their “6-month salary in bitcoin” within 3 days to stop the leaks, and claimed to earn upward of $15 million a year by blackmailing organizations whose networks they have penetrated.
The hackers claimed it took them about 6 months to breach HBO’s network, and to have spent a half-million dollars per year to buy “zero-day” exploits that allowed them to break into their corporate networks through vulnerabilities not yet know to Microsoft and other software companies. They also bragged about HBO being the hackers’ 17th target and that only three previously victimized companies refused to pay. HBO is continuing to investigate the hacks and is working with police and cybersecurity experts, but it remains unclear how extensive the hack really was, how disruptive it will be to HBO’s business and employees, and whether the hackers will release the more explosive material they promised if the ransom isn’t met.
So far, the HBO leaks have been limited and have fallen well short of the chaos inflicted on Sony Pictures Entertainment in 2014. In that cyber attack, a group of hackers known as the “Guardians of Peace,” allegedly associated with North Korea, leaked thousands of humiliating and damaging emails and personal information, including salaries and social security numbers, of nearly 50,000 current and former Sony employees. The group demanded that Sony halt the release of one of their major motion pictures that year – The Interview – threatening terrorist attacks and causing Sony to cancel the film’s premiere and mainstream release. Ultimately, the 2014 Sony hack resulted in the resignation of senior executive Amy Pascal and in a multi-million-dollar settlement with the studio’s employees.
While the Sony hack definitely got the attention of executives across the entertainment industry, and while this and other major cyber incidents led to a shift in attitudes toward security, many experts argued that Hollywood studios were still not doing enough to prevent the next big data breach and warned that it was just a question of time before we would see another incident of the same or increased magnitude. Recommendations poured into Hollywood studios and cybersecurity companies flourished since, offering all kinds of technical solutions – from better firewalls to intrusion detection systems, network access control, cloud service security products, etc. The entertainment industry, however, has continued to focus on perimeter defenses instead of investing on risk mitigation strategies and more proactive measures, like using digital rights and content-management solutions to share and control how entertainment companies collaborate on content without putting it at risk of being compromised. These tools can increase the security of communications with external parties over secure channels, be they email, text, phone or instant messaging. Unified endpoint management solutions could also improve security and help control all IT endpoints, including desktops, laptops, mobile and even IoT devises. Finally, companies of all sizes and in all sectors should regularly train their employees on cyber hygiene and cybersecurity awareness, and bring “ethical hackers” to conduct penetration testing and simulate real-world attacks.
As Alex Manea, CSO of BlackBerry, noted: “if Game of Thrones has taught us anything, it’s that enemies will always try to find and exploit our biggest weaknesses, be they physical, mental or in this case digital. And just as in the hit HBO show, our goal isn’t to make our defenses impenetrable, it’s to make them strong enough that hackers simply move on to easier targets. In the end, enterprises and individuals who adopt this approach to risk management will have the best chance to survive the digital winter.”
The HBO hack has shown us that there is no such a thing as perfect cybersecurity, but that are multiple proactive solutions and training opportunities that can be adopted to add layers of security and make us more difficult targets to penetrate. What the network will decide to do next to resolve the case is hard to guess. For now, at least fans seem to remain loyal to the cable network that has brought them their favorite show, which recently saw its best-ever live ratings with more than 10.2 million viewers despite the recent hacks and multimillion-dollar ransom demand. – Senior Fellow Francesca Spidalieri