Recently we opened up the subject of entertainment companies being victims of cyberattacks and leaks of their intellectual property, a practice that seems to be gaining popularity among criminals. We talked a bit about the precedents, so you can check that out for more context. Now we’ll get more into the nitty-gritty of things.
Why are these attacks on the rise?
We could think of many reasons as to why these types of attacks have become more common, and most of them wouldn’t be overly complicated. The simplest one is inspiration: after the Sony breach, which we talked about in the previous post, hackers suddenly realized how much damage they could do to these kind of corporations. And how much exposure they could get, too.
After Sony, it suddenly became clear that these companies are more vulnerable than one would think. Because of their natural line of work, they deal with a lot of mainstream attention and interest on a daily basis, so an attack on them would receive much more recognition than on a more conventional business. It really doesn’t matter if an attack is more sophisticated than usual: what matters is how much buzz it can create.
Compared to other possible victims, here the risks are low and the gains possibly very high. There’s also the fact that the industry isn’t as worried with cyber security like other sectors, and in fact, them making simple mistakes is exactly what hackers are expecting (more on that in a bit). But in general terms, the entertainment industry is the perfect target: it has massive public interest and many potential weak points to exploit.
And the companies are apparently realizing that themselves, as interest in cyber security in the industry has skyrocketed since then.
What are the perpetrators after?
Traditionally, these kind of illicit hackers mostly looked to cause some kind of trouble, to be recognized among their fellow peers. To collect “trophies” every time they carried a successful intrusion. Now, though, those interest have become more sinister, and entertainment hackers are morphing into criminal enterprises.
Causing mayhem might still be a thrill to some, sure, but the money involved is what seems to be powering the more recent attacks. The people responsible for the latest HBO hack asked for $250,000 in exchange for halting any further leaks. The group that released the Netflix series Orange is the New Black before its official premiere also asked for a ransom; one that was paid, in fact. But still, the intruders weren’t content with the more than $50,000 they received in Bitcoin and released the episodes, much to the victim’s dismay.
But that’s the fact: there’s already a precedent of one company paying the ransom, and another report suggests at least another one has paid a cyberattack-related fee as well. What’s worse, that same article by The Hollywood Reporter claims that the FBI advised Hollywood companies to pay the ransom if they deemed it necessary, less they lose a critical part of their business (or all of it, in some cases).
The FBI itself has denied that it ever gave such advice. After all, not negotiating with criminals is a basic rule that everyone knows. But still, these companies have proven to be a weak link in the chain for now, and as far as cash is concerned, we already know monetary gain is in the realm of possibility. More than enough of a chance for any criminal looking to make a buck.
How do these intrusions even happen?
To many, it might seem baffling how these companies can get hacked in the first place. After all, they’re multi-national, multi-billion dollar corporations that should easily have the resources to combat these kind of threats. However, those massive structures are precisely what might be endangering them. Companies are made of people, and people often make mistakes.
From afar, Disney, Netflix or Sony might seem like cosmic juggernauts operating like machines: non-stop and flawlessly. But the truth is that they are as exposed to human problems as anyone else. And perhaps even more, since they employ hundreds and hundreds of people; as well as other external outsourced jobs.
That’s exactly what happened with the Orange case, for example. The company hacked wasn’t Netflix itself, but the studio in charge of editing the show. In many cases, it’s much easier to exploit the human factor, so that’s why hackers go after individual employees that represent some kind of opportunity for them, or an external part of the chain, and wait for a mistake. That’s the main theory of at least one expert regarding the HBO hack.
The other theory is a bit more technical, though not necessarily too complicated either. According to that same source, the cyber security infrastructure of entertainment companies is as far as 5 to 6 years behind compared to the finance and government sectors (7-10 in less favorable estimations), so they also have a clear weakness in raw security measures.
The most common mistake in this case is not a hard-to-understand cyber security problem, but a rather a simple one: many companies are slow to update their machines, so they’ll often sit on old versions of Windows for too long, for example, exposing themselves to external intrusions. Those annoying notification updates from Windows can mean the difference between been vulnerable and being protected.
HBO could’ve been hacked just for this simple reason. Going back once more to the Orange case, that’s also what happened: the editing studio had a computer running on Windows 7, the hacker found it by chance and boom. A whole season of a worldwide popular show was leaked weeks ahead of its premiere.
Now, just updating to Windows 10 won’t do the trick. These corporations will need new security protocols and new ways to operate. From now on, much of what we’ll see from these companies will be powered by raw fear of being the victim of the next scandal. Security is good, but fear can also lead to undesirable behaviors.
The entertainment industry, with all of its games, movies, series and more, thrives from the investment their audience puts into their products. Part of that is sharing a lot of that content, be it previous to the release (trailers, marketing) or after it (behind the scenes). After all of this, we might start seeing a more secretive and untrusting industry from now on. And that could be very unpleasant indeed.