The cyber-chaos — whether driven by money, mischief, malice or just plain mistakes — may well continue: It’s possible that whoever was behind the massive hack of the programmer’s networks perpetrated in July has additional data dumps in store. The anonymous hacker, who has called himself “Mr. Smith” in some communiques, has demanded millions in ransom payments from HBO.
But how much has HBO really been harmed? Observers say that the Time Warner-owned network hasn’t sustained any serious blows to its finances or reputation, especially compared with the 2014 cyberattack on Sony Pictures Entertainment that nearly pulled the studio under.
“In the pantheon of hacks and corporate fallout from them, HBO is getting off light so far to date,” said Stephen Beck, managing partner of management consultancy cg42.
HBO has had a string of digital headaches: The hack has resulted in the release of a “Game of Thrones” script and episodes of HBO shows including “Ballers” and “Curb Your Enthusiasm.” Separately, two “Game of Thrones” episodes have been pirated before their premiere this season — episode 4, attributed to employees of a vendor working with HBO partner Sky India; and episode 6, which leaked online after it was inadvertently published by HBO’s European services. And on Wednesday night, a notorious hacking gang hijacked HBO’s Twitter and Facebook accounts.
Those may be an unfortunate confluence of events, or it could be that HBO has been singled out for attack. “Once you’ve been compromised, you’re seen as someone who’s been attacked and is vulnerable,” said Dimitri Sirota, co-founder and CEO of BigID, a security software vendor.
It’s impossible right now to determine the full cost of the hack, because even HBO might not know the full extent of what’s in the 1.5 terabytes of data the hackers claim they’ve stolen, said Tim Crosby, senior cybersecurity consultant for Spohn Security Solutions. A security contractor enlisted by HBO disclosed that the hackers obtained “thousands of internal documents.”
With any data breach, there are costs for legal reviews, security remediation, and forensics investigations. “It’s unfortunately become a cost of doing business today,” said Mark Lobel, principal in PwC’s U.S. advisory practice and leader of its cybersecurity team for the technology, media and telecom sector. “These types of attacks against media companies are happening a lot, and many are not reported publicly.”
Still, the damage from the hacks and the other leaks appears to be limited. In fact, “Game of Thrones” scored the series’ best-ever ratings for the Aug. 6 airing even with the leak three days beforehand. Season to date, “GOT” episodes are averaging nearly 30 million viewers across all platforms, 38% more than the same point in time versus last season. HBO half-hour comedies “Ballers” and “Insecure,” both of which had episodes leaked by the hacker, have each set record highs for viewing on Sunday nights this summer, according to the network.
Experts say it’s unlikely HBO has lost subscribers or that its brand has been tarnished. “They have some public sympathy – they didn’t do anything wrong,” said Carl Folta, a veteran entertainment PR exec. “They are the victims here.”
A big difference between the Sony and HBO hacks is that in HBO’s case, there hasn’t been much private email or employee personal information divulged. The hacker group did leak about a month’s worth of emails from one senior HBO executive. But the contents of those haven’t been published, as Sony’s emails were — which corroded the studio’s relations with talent, employees and partners. (HBO CEO Richard Plepler has told employees that the network doesn’t believe the email system “as a whole” has been compromised.)
In many ways, the HBO leaks arguably have been unpaid promotion for the network. The latest episode leak even spawned a trending hashtag on Twitter,
#FakeGameOfThronesSpoilers, on Thursday.
“Obviously, no company wants their proprietary information stolen and posted online,” said Beck. “But this amounts to free marketing.” Recall the quip from Time Warner CEO Jeff Bewkes, who said on an earnings call in 2013 that piracy of “Game of Thrones” was “better than an Emmy” in terms of driving buzz.
HBO, for its part, has said it is not in communication with the hacker and that its priorities are to maintain transparency with employees and partners about the incident. “We’re not going to comment every time a new piece of information is released,” the network said in a statement Sunday. “The hacker may continue to drop bits and pieces of stolen information in an attempt to generate media attention. That’s a game we’re not going to participate in.”
Industry analysts say HBO has done a good job in responding quickly with public and internal messaging. One of the mistakes companies that have been hit by a data-security breach often make is that they release partial or inaccurate information, said PwC’s Lobel. “They release a hypothesis and not facts,” he said. “That just extends the story. In many cases the hackers are trying to kill you by a death by a thousand cuts.”
As for HBO’s decision to offer a $250,000 payoff to the hacker, aiming to fend off the release of any purloined episodes or information, experts say there’s no right answer in what to do in this case. A source familiar with the matter confirmed that the offer of the “bug bounty” was a stall tactic by HBO as it assessed the situation.
Some experts say it’s never advisable to make payouts to cybercriminals, although they say that does sometimes happen quietly. “It’s the same reason U.S. government doesn’t pay ransom for kidnapped Americans,” said Brian Pearce, COO of Beyond Security, which sells network-vulnerability testing tools. “It paints a giant target on not only on the back of the company, but the entire industry they’re in.”
Other say offering payments to hackers can be a reasonable step to negotiate a settlement to limit the fallout, or to figure out if the attackers really have anything of value. Additionally, the tactic of offering payment might be part of an effort to gather more info about the hackers so that law enforcement can track them down.
In any case, internet-borne threats will continue. Tools that cybercriminals have access to are very user friendly and easily available. With a monetary incentive, they will be relentless. “Your adversaries are getting smarter, so you have to get smarter,” said BigID’s Sirota.
The “Game of Thrones” script provides a lesson in architecting a data-security defense, according to Sirota. The Wall, the huge barrier of ice in the north of Westeros, doesn’t stop the White Walkers from breaking through. In the same way, in trying to protect their networks, “Companies try to build bigger walls and deeper moats, but there will always be ways to get around that.” Sirota recommends deploying a variety of more agile and intelligent defenses, such as “honeypots,” which are false targets designed to attract and trap an attacker.
The HBO hack and related events have once again spurred media and entertainment companies to consider how susceptible they are to similar attacks. The real danger is believing they are safe, said Spohn Security’s Crosby: “There are lots of people who will forget this. They’re more interested in focusing on something else.”