Cybersecurity and the hacking of Hollywood

Cybersecurity appears near the top of any compliance officer’s risk assessment. Addressing the ever-evolving concerns around it is a priority on the strategic annual plan for any compliance program. Modern society’s reliance on technology and the internet is always increasing. Along with the many benefits of technology’s interconnectedness and conveniences comes risks to data privacy, information theft, unauthorized intrusions, and security breaches.

While all businesses are vulnerable to these threats, recently the spotlight has been on Hollywood and some high-profile hacking campaigns that have seriously impacted the entertainment industry. Damaging emails have been published, produced shows and scripts have been ransomed, and private photos have been leaked due to storage and server facilities being breached.

  • In November 2014, Sony Pictures was hacked by a group calling itself Guardians of Peace. The cyberattack used malware to steal and then overwrite and delete the data on half of Sony’s computer network worldwide. Not only did Sony have to deal with a major technology infrastructure crisis, but shortly after, the leaks began. The stolen data from the company that was subsequently published ranged from embarrassing personal emails of executives and celebrities to unreleased movies to sensitive employee information. The hack was eventually blamed on North Korea and their effort to suppress the film The Interview, a claim which is still disputed by some today. The fallout from the cyberattack and the insufficiency of the company’s preparations against it offer many difficult lessons in cybersecurity and corporate defences within it: Inside the Hack 
  • Netflix was compromised by a hacker going by the name thedarkoverlord, who posted ten episodes of the network’s hit show Orange is the New Black to a torrent site on the internet. The leak occurred after a ransom request was not met, first by a production vendor affiliated with Netflix and then by Netflix itself, demonstrating that cybersecurity at third-party vendors can also be a business risk: A Group Of Hackers Is Holding Hollywood Captive — & Here’s What It Wants
  • In another ransom case, Disney suffered a hack involving the latest movie in the Pirates of the Caribbean franchise, compromised while on the servers of a post-production facility. Work is often sent out to vendors in the industry who will do it for the lowest cost, but may not promise the most robust network security to prevent intruders from accessing the content and ransoming it to the owners. This phenomenon is becoming increasingly common and expensive: Cyberattacks once again roil Hollywood, but can anything be done about it?
  • HBO sustained a major cyberattack, possibly from various sources, on their servers which demonstrate how vulnerable major organizations can be to leaks, hacks, and social media hijackings. This event shows that HBO, and other organizations like it, face cybersecurity threats from a variety of sources: suppliers, insiders, intruders, and more. Ransom demands were involved here too, but other threats seemed designed just to test security protocols or to intimidate and embarrass: Breaking Down HBO’s Brutal Month of Hacks
  • Other than content owners such as networks and studios, Hollywood talent agencies, such as UTA, ICM, and WME, have all also been the target of cyberattacks. In the case of UTA, the intrusion occurred through the phone system and spread from there to the computer network, with a ransom demand following. Many of these hackers openly acknowledge they are motivated just by financial gains from ransom payments, so some companies are being advised to pay up and avoid damaging or embarrassing information and valuable content being leaked online: FBI Gives Hollywood Hacking Victims Surprising Advice: “Pay the Ransom”

The increasing frequency and visibility with which the technological systems of Hollywood companies are being targeted for cyberattacks indicates that this will remain a top risk for some time to come. The threats to the reputations of individuals and organizations involved, as well the economic and reputational risks, require that lessons learned from the situations above be implemented into practical and technological improvements to cybersecurity programs.

Leave a Reply