Hackers expose security gaps in Hollywood

HBO offered US$250,000 (S$340,000) to cyber criminals who hacked into its computer system, asking them to extend a deadline for paying a much larger ransom.

NEW YORK • Sony. Netflix. And now, HBO.

While the 2014 hacking at Sony Pictures pushed entertainment giants to take computer security more seriously, recent incidents have exposed weaknesses throughout Hollywood's food chain.

Last week, as HBO investigated a cyberattack on its systems, an unaired episode of its hit show Game Of Thrones appeared online following an unrelated breach at a pay-TV partner in India.

In April, when 10 episodes of Netflix's Orange Is The New Black leaked, the incident was traced to a contractor.

Cybercrime is a growing problem for many industries, but Hollywood is especially vulnerable because of the long chain of people who work on a show or movie in post-production, experts say. Studios rely on an army of freelancers for everything from special effects to musical scores, creating a vast network of targets for hackers.

Bringing those workers in-house is an option, but would be expensive and could limit the talent studios can tap.

"Hollywood will have to recognise this will continue to grow and be an issue," said Mr Mike Orosz, who studies cyber risk as research director at the University of Southern California's Information Sciences Institute.

HBO requires employees to have two-factor authentication and strong passwords for their computers. They also undergo security awareness training. But the company works with many post-production freelancers who handle sensitive information on personal e-mail accounts and personal devices, raising security concerns, according to a former employee who asked not to be identified discussing an internal matter.

"Once the content is out of your hands, it's truly out of your hands," Mr Orosz said. "The security of the third-party vendor is what you're relying on."

HBO is still investigating how hackers broke into its computer system. They stole episodes of Larry David's Curb Your Enthusiasm and Ballers, a person familiar with the matter said. They also stole an executive's e-mail messages and a summary of an unaired episode of Game Of Thrones, according to Variety.

After receiving a ransom demand, an HBO executive e-mailed the hacker on July 27 offering US$250,000 (S$340,000) as payment for finding a security flaw, according to a copy of the message obtained by Bloomberg. HBO asked the hacker to extend the deadline for a week while the company arranged a payment in bitcoin. That was a stalling effort, according to a person with knowledge of the matter.

The hackers do not appear to have breached the company's entire e-mail system, chief executive officer Richard Plepler told staff last week. The network, owned by Time Warner, declined to comment.

For Hollywood, hackers are threatening both reputations and businesses. A stolen movie that appears online before appearing in theatres loses 19 per cent of its box- office revenue on average compared with films that are pirated after they are released, according to a study by professors at University of Maryland and Carnegie Mellon University.

People may not be willing to subscribe to Netflix or HBO if they can watch their favourite shows and movies online for free.

The wave of attacks is also forcing media executives to confront a thorny question: Should they pay ransoms to hackers to get their content back?

The FBI says that is always a bad idea. "We believe it perpetuates the crime in general," FBI spokesman Laura Eimiller said.

There is also no guarantee paying the ransom will work. In April, Netflix refused to pay a hacker who stole unreleased episodes of Orange Is The New Black. Larson Studios, which worked with Netflix, told Variety it paid the ransom, about US$50,000, in bitcoin. The hacker, who went by the name TheDarkOverlord, dumped the stolen episodes online anyway.

Larson Studios did not respond to a request for comment, while a Netflix official said only that the company is "constantly working to improve our security".

The Sony attack, which embarrassed studio executives after private e-mail messages were made public, was linked by the FBI to North Korea, which allegedly was retaliating for The Interview, a 2014 film about a fictional plot to assassinate leader Kim Jong Un. Some studios have reportedly removed Russian President Vladimir Putin as a character in films because they are concerned they will suffer a similar fate.

Sony has learnt from that attack. Mr Michael Lynton, former chief executive of Sony Entertainment, started transferring e-mail messages off his computer every 10 days. "To me, that's the solution," he said in May. "Put it in a drawer and lock the drawer."


A version of this article appeared in the print edition of The Straits Times on August 14, 2017, with the headline 'Hackers expose security gaps in Hollywood'. Print Edition | Subscribe