Television dramas have consistently shown us that authorities do not negotiate with kidnappers and they refuse to pay ransom. “Ransom”, a television series on CBS, portrays a team that works to resolve ransom cases, including in the recent season finale, ransom demanded by a hacker. In an updated twist on this television plot, but this time, on the real world stage, a television network has reportedly been held to cyber extortion by a hacker over unreleased television shows and refused to pay ransom. For the cliffhanger, other networks are threatened to be the next targets. While this mind-boggling “life imitates art” drama appears slated for further episodes, what should be center stage, from a cybersecurity standpoint, is that the compromised security was that of a third party vendor.
A hacker (or a group of hackers) which operates under the name “The Dark Overlord” claims to have stolen unreleased episodes of the Netflix hit-series “Orange is the New Black.” During the past weekend, the hacker reportedly released ten episodes of this series to a pirate internet site when Netflix did not meet its ransom demands. The hacker said in a Twitter post: “It didn’t have to be this way, Netflix. You’re going to lose a lot more money in all of this than what our modest offer was.” The hacker then threatened that it stole unreleased content from other networks including ABC, Fox, National Geographic and the Independent Film Chanel (IFC) – suggesting that additional releases are coming. “Oh, what fun we’re all going to have,” the hacker posted on Twitter. “We’re not playing any games anymore.”
In a statement, Netflix said: “We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.” According to news sources, the breach reportedly occurred at Larson Studios, which operates in the heart of Hollywood “as a full-service Audio Post Production company specializing in digital mixing for High Definition television, film and multimedia.”
While the matter remains under investigation, the details of the compromise here have not been released. So far, this appears to be a case of alleged extortion involving stolen files, but not ransomware. (Ransomware is a more pervasive cybersecurity threat, which also involves extortion, but which encrypts files and a user is prevented from accessing those files until a ransom fee is paid, unless they can recover their files from backup.) This is further suggested by the hacker’s history – having made headlines last year for allegedly stealing patient health information records from healthcare organizations, and demanding ransom to avoid the sale of the records on the dark web.
Whatever might be the details of the compromise here, this serves as a cautionary tale of the threat to a business when its information is in the hands (or, here, in the computers) of a retained third party. And while this is being played out in connection with the entertainment industry, where secrecy (for that suspense factor) is essential, fundamentally, secrecy is also critical to most other businesses. The message here is clear: Cybersecurity threats are ever-evolving, and this latest episode is another example that a company’s vulnerability to cyber events may depend not only on its own security but also that of its vendors. Companies should consider evaluating whether they are prepared for cyber extortion, including whether their incident response plans are current to properly address these emerging risks.