HBO: Hacks Indicate a Company in Cyber Security Crisis
In the growing age of data, security is one of the biggest concerns for multinational corporations holding copious amount of sensitive data. With data protection becoming such an integral part of company operations, experts have tried to develop new and effective ways to keep sensitive information out of the wrong hands. Proper data security and privacy measures will prevent data leakage while still ensuring that a company runs smoothly. There is no room for error, leaving even the slightest of room for mistakes could end up being a disaster. Several big multinational companies like NETFLIX, SONY, eBay, HBO have suffered the consequences due to lack of proper security policies. This paper will look into HBO’s security policy and the reason behind how they became subject to attack of 1.5 TB of sensitive information which hackers leaked online and resulted in loss of millions of dollars and finally review and recommend better security measures which could prevent any further attacks of such kind in the future.
HBO: Hacks Indicate a Company in Cyber Security Crisis
In 2016, the media and entertainment sector was among the top five most-breached industries. According to IBM X-Force Threat Intelligence Index, 42 million records were breached in 37 publicly reported breaches last year in this sector. One wonders how many breaches went unpublicized.
Leaking online hacked episodes of the most popular TV shows is a way to seek ransom or to create credibility for an aspiring hacker on the dark web. The number of people working on these popular TV shows and movies runs into a few hundreds, if not thousands. From pre-production, casting calls, budget discussions, filming, post-production and finally distribution, a lot of people have access to the script and the finished product. This increases the scope of attacks from hackers along the value chain. Securing all the people involved, particularly when many are third-party partners is a daunting task. (NETENRICH, 2017)
In the summer of 2017, a group of hackers named “Mr. Smith” posted multiple episodes of upcoming HBO series, scripts of various other shows and personal information of multiple of its cast online and demanded a ransom of $6 million. The hacker gradually released stolen materials on the internet, including unaired episodes of Ballers, Barry, Room 104, Curb Your Enthusiasm and The Deuce. The hacker also released the script of an episode of Game of Thrones that had not yet been broadcast. That was not the only misfortune during that period for HBO. (Daniel Victor, New York Times, 2017)
From May to August the data theft proved to be a nightmare for HBO, While the attention of the media (and HBO) was focused on Mr. Smith, a full upcoming episode of GoT was released online. This wasn’t the work of Mr. Smith but that of malicious insiders at a company called Prime Focus Technologies, a third-party vendor of Star India, HBO’s business associate that airs GoT in India. In other words, HBO was victimized by a hack at a third-party vendor of a third-party vendor. (Lazarus Alliance, 2017)
A few months later HBO Nordic and HBO España, two European affiliates of HBO aired an episode of GoT a week early which gave people enough time to pirate it and put it on torrent websites.
That won’t be the end of their suffering a few months forward they are hacked again by another group of hackers calling themselves OurMine.
Lack of good security policies and preventive measures made HBO a prime target for hackers. They were not just vulnerable in one area but on multiple fronts, poor employee training and vulnerabilities in their security measures cost them millions of dollars and a drop-in viewer rating as a result of pre leaked episodes.
In the following section I would go over the details of the incident and try to isolate the key factors that led towards the events that transpired, what were the faults in the security policy of their system and what steps should be taken in order to make sure that such event doesn’t happen in the future again.
Timeline of Events1
23 July 2017. Domain winter-leak was established and several episodes of game of thrones was released with addition content from various other HBO programs by a hacker named Mr. Smith. The IP address changed from San Francisco, CA TO Dublin, Ireland. Finally, the site stopped working or taking any ping requests.
27 July 2017. Now, while the hackers have a strategic approach to their psychological warfare against HBO executives, with intent of releasing new content every week, the HBO story became doubly confusing when additional episodes of Season 7 were released by a user on reddit.
After piecing the information together, it turned out to be the job of an insider. The leaks seem to have come from aa third-party vendor of HBO in India
7 August 2017. A week after the first attack Mr.Smith released a second wave of content containing 10 files with scripts, legal documents, contact numbers of top HBO actors and employees.
14 August 2017. A week after the 2nd release, the hacker’s third email appeared, with subject: HBO Leak, 3rd Wave, this time much more verbose than the first, and the body of the message included links to more HBO episodes of "Arliss," "Ballers," "Barry," "Curb Your Enthusiasm," "Felipe," "Insecure," "Latino," "Room 104" and "The Deuce”.
15 August 2017. Indian police arrested four people in connection with the HBO leaks, the leak came out from a company named Prime Focus Technology.
Another incident took place simultaneously on this day, two European affiliated of HBO released an episode of game of thrones a week early than it was supposed to air, 60 minutes gave ample amount of time to people to put the footage on the internet and spread it.
16 August 2017. HBO’S twitter account was hacked by another group of hackers named OurMiners. They simply tweeted HBO to contact them for a security update.
In a span of one-month HBO was a subject to cyber-attack 4 times. The problem was not only on one front but on multiple, weak security protocol, lack of employee training, untrustworthy employees and lack of security measures.
According to many IT experts, the entertainment industry continues to use outdated technology to store its content and because of this, the entertainment industry is riding the wave of a digital growth spurt. But keeping up with the latest technology and protecting its sprawling supply chain is proving difficult. IT Security experts believe that the entertainment industry needs to update its security framework to reflect the reality of the present IT ecosystem. They believe the breach at HBO could have been prevented with the proper use of available technology. Small measures such as segmentation of networks to control access, limiting collaboration to small pools, stringent access control policies with multi-factor authentication, and data encryption could have prevented the hack. (NETENRICH, 2017)
After looking into the events that transcribed, and the way it was handled by the executives at HBO was not at par level of what should have been the security of a company as such as HBO.
There were many things that the top executives or their security team could have done in order to protect them from such kind of things. Using outdated technology and negligence of duty cost them millions of dollars.
What could they have done?
Versatile content management system (CMS). 34% of all data breaches occur due to external means. The entertainment industry has not been at pace with the development in the security sector. Various big organizations such as HBO, NETFLIX, SONY have lost copious amount of data to hackers which resulted in unlawful release of content over the internet.
Content management system offers an solution to this problem. A content management system (CMS) typically has two major components: a content management application (CMA), as the front-end user interface that allows a user, even with limited expertise, to add, modify, and remove content from a website without the intervention of a webmaster; and a content delivery application (CDA), that compiles the content and updates the website.
A CMS also makes sure that all content is only accessed through it, so that there is always a record of who accessed what and for how long. Access should not be just given to anyone it should be limited and should only grant access to what is required and be revoked after the job is done, leaving no room for error.
Remote browser isolation. According to the IBM report, with upwards of 75 percent of all data breaches happening as a result of careless employees who either consciously or unconsciously end up installing backdoors through social engineering and phishing attempts, remote browser isolation offers a perfect solution to this perpetual problem.
With a remote browser installed any emails, Facebook links, invite or transactions are opened in a separate environment and are rendered in a fully isolated virtual environment outside your production network so that in the event of a breach the hacker won’t be able to get inside the internal system of the organization. (Zuly Gonzalez, 2017)
The level of isolation provided by remote browsing solutions is strong enough that users can do their web browsing from their primary desktop computer, while still maintaining MPAA compliance.
Not only does this save on the cost of setting up and maintaining a second network for internet browsing, but it also streamlines the workflow. It decreases the amount of time users spend jumping back and forth between two separate computers and simplifies the process of safely importing materials from the internet onto the gated workstations in the production network.
An added bonus is that it can allow the auditors to see what files are uploaded or downloaded, as well as what sites are most frequently visited by the users, another potential boost.
Security Awareness. Every person involved is trained to recognize attacking scams and identifying phishing attack techniques. People should be made part of a simulation in which they are cyberattacked and see how they perform.
Most of the attacks happen due to lack of proper training, people are not aware, and give out information to attacker without even knowing. eBay, HBO all the big organizations have been a subject to attack due to his.
Corrective actions should be taken, employee training should be conducted in every few months so that people don’t forget. These simple measures can help increase the security of the organization exponentially.
Choose secure vendors. HBO was subject to attack because they didn’t choose the right vendors, a third-party organization of a third party was responsible for the release of episodes of game of Thrones. Organizations should be really clinical in giving out control to other people. Any outside person automatically becomes a threat after they gain access to sensitive information.
These are some of the ways in which HBO could ramp up their security measures and make sure that no such attack occurs in the future. Just following up these basic steps will provide them insights and simply reduce points of entry inside their system. You can never be completely sure but at least these steps will help them in reducing threats.
Organizational impact. Fewer breaches of system architecture. the first and most important benefit of having a strong security system is theta there are fewer breaches in the system and less loss of data to hackers. This results in accumulating trust from its user as they know that their data is secure with the organization. By doing so we dramatically increase the chance of hackers getting inside.
With being up to date with recent standards they are at the top of the chain by providing good security to its users and in standing out among its competitors. This will attract new users from the market and increase the user base and help them reach out to different untapped areas that they couldn’t reach in the past.
Preventing a loss of business. Trust is priceless for any business. A business that loses the trust of its customers will quickly find that it doesn’t have customers anymore. The thing is that a cybersecurity breach often results in a loss of trust from customers in the general public. For example, according to The New York Times’ coverage following the 2013 Target data breach, “The widespread theft of Target customer data had a significant impact on the company’s profit, which fell more than 40 percent in the fourth quarter.” Thus greatly impacting the organization.
These were some of the direct organizational impact which would occur if good security measures are implemented thus giving the organization a competitive advantage from its competitors by placing them at a strategic position that no-one could be a threat to them or their subsidiaries.
In this paper I went through the events that happened with HBO and tried to separate the issues that caused the breach in security. Going deep into the root causes and found the gaps in its security policies and measures. The causes were numerous and were both from outside involvement as well as the mistakes of its own employee. It lacked a lot of proper security protocols that should have been in place, they were very negligent of their security policies and that made them pay dearly. Proper study of challenges and threats during the period led me to find good alternative solutions for HBO such as implementing software’s like CMS and remote browser isolation to prevent any attack from the outside or from inside from happening. Implementing these solutions should garner HBO a lot of trust from its users and should prepare it for any future problem that might occur.
Bruce, B. (2017, October 30). THE HBO HACK – COULD TIGHTER CYBER SECURITY HAVE PREVENTED IT? Retrieved from https://www.netenrich.com/2017/08/the-hbo-hack-could-tighter-cyber-security-have-prevented-it/.
Gonzalez, Z. (2019, April 10). ME Journal: The Intangible Costs of Hacks (And What You Can Do About Them). Retrieved from https://www.mesalliance.org/2019/04/08/me-journal-the-intangible-costs-of-hacks-and-what-you-can-do-about-them/.
Alliance, L. (2017, September 19). HBO Hacks Indicate a Company in Cyber Security Crisis. Retrieved from https://lazarusalliance.com/hbo-hacks/.
Duverge, G. (2017, March 28). The Importance of Corporate Data Security and Privacy. Retrieved from https://online.pointpark.edu/information-technology/corporate-data-security-privacy/.
Dosal, E. (2018, September 25). How Can Businesses Benefit from Having a Strong Security Architecture? Retrieved from https://www.compuquip.com/blog/strong-security-architecture-benefits.