What Can Enterprises Learn from the Game of Thrones Hack?
If you are a Game of Thrones fan or occasionally have an eye on popular culture news, you may have already heard of the latest Home Box Office Inc. (HBO) hack and the leaked episodes of Game of Thrones, which is the most pirated television show six years in a row, based on George R.R. Martin's legendary book series. As seen in this incident, with cybercriminals becoming more sophisticated and organized, many large enterprises like HBO are inevitably faced with data security issues at some point, and sometimes they fail at securing their intellectual property.
For those who are not familiar with the news, HBO has been hacked by the so-called Mr. Smith hacking group which stole approximately 1.5 terabytes of data from HBO and have released, what they call, the sixth wave of leaks that contain confidential plot summaries and details of how the season will end, according to Mashable. They’ve also leaked executive emails as well as the personal phone numbers, email addresses and home addresses of Game of Thrones Season 7 cast members. What they demand from HBO is approximately $6.5 million worth of Bitcoin which has long been a favorite currency of ransomware authors.
From the enterprise content management standpoint, the HBO hack, once again, begs the popular question: who’s to blame? Are open source software vulnerabilities the culprit for this massive leak? Or the enterprise’s lack of encryption enforcement?
Speaking to CMS-Connected, Sydney Sloan, CMO of Alfresco, "This is the future of hacking and all companies that create content need to safeguard themselves from criminals and disgruntled employees, beyond securing their firewalls. For those who watch 'Game of Thrones' and shows much like it the outcome is worse than spoilers. This has the potential to ruin a storyteller's vision and even destroy production houses." Ankur Laroia, Strategic Solutions Leader, Alfresco Software agreed and went further, saying to us: “The HBO hack illustrates the fundamental need to inventory, curate, and secure information. The challenge in this has always been around the 3Vs - volume, variety, and velocity at which information is created, shared and consumed. This wasn't just an infrastructure based hack, it was sophisticated and compromised applications and systems. Having an open, transparent system where exploits and vulnerabilities are quickly identified and mitigated reduces the surface attack area that enterprises are exposed to. Alfresco's digital business platform has been selected by many marquee brands to inventory, curate, and secure information.”
Many enterprises that use cloud services to enable their employees to collaborate through sharing, editing and updating files on the cloud do not have a comprehensive security protocol to protect sensitive information within the shared files. As a result, this situation leads to increased chances of sensitive data loss through violations of data loss prevention (DLP) activities. A study conducted by Netskope concluded that webmail has the highest occurrence of the policy-violating activity. The report also noted that DLP violations can differ, giving examples of improper downloading of a non-public press release and theft of customer data from a CRM by a departing employee. Nearly 1 million new malware threats are released each day, and cyber criminals get unauthorized access to your site to steal sensitive data such as credit card information through that malware.
HBO Isn't the First Company Going Through a Cyber-Extortion Attempt
In 2014, Sony Pictures was hit by a cyber-attack where hackers disclosed thousands of embarrassing emails and released personal information, including salaries and social security numbers, of nearly 50,000 current and former Sony employees. After that incident, Michael Lynton, a former chief executive officer of Sony Entertainment, started transferring emails from his computer every 10 days, and the company took data security more seriously.
Another high profile case happened last April. A hacker who stole unreleased episodes of “Orange Is the New Black” asked Netflix for a payment of "tens of thousands of dollars in Bitcoin" in exchange for not releasing the files. The difference between the HBO hack and the Netflix hack is the fact that the Mr. Smith hacking group claims they obtained "highly confidential documents" including IT related data, show scripts, financial documents and more. Additionally, some other hackers threatened to leak a stolen copy of Disney’s new “Pirates of the Caribbean” if the company didn’t pay a ransom. The company refused to pay.
Cybercrime has been an emerging concern for almost every single industry but Hollywood seems to attract cyber criminals the most because of its specific vulnerability. The entertainment giants like HBO often work with a huge array of freelancers especially for post-production, and this situation expands the network of a target for hackers. In the case of HBO, for instance, the in-house team is mandated to have two-factor authentication and strong passwords for their work devices. Not to mention a security awareness training they have to take. However, incorporating with numerous post-production freelancers who transfer sensitive information through personal email accounts and personal devices is the biggest factor to create that security vulnerability. When it comes to the consequences that arise from those attacks, they are quite concerning. In fact, a stolen movie that appears online before appearing in theaters loses 19 percent of its box-office revenue on average compared with films that are pirated after they’re released, according to a study by professors at the University of Maryland and Carnegie Mellon University.
Are Data Breaches the ‘New Normal’?
As mentioned earlier, data breaches are evolving threats not only for Hollywood but for all digital businesses. In April 2016, we all witnessed the Panama Papers breach which is the largest data leak in history, with 2.6 terabytes of data, 11.5 million documents, and more than 214,000 shell companies exposed. As a quick refresher, hackers breached the systems of Panama-based law firm Mossack Fonseca and leaked an extraordinary amount of documents that have shed light on the tax-avoiding efforts by the world's elite leaders, which was likely the result of unpatched content management systems.
In light of all these incidents listed above, we wanted to inquire with Ankur Laroia from Alfresco about whether data breaches are the “new normal”, here’s what he had to say: “Unless companies embrace the power of open thinking and a new pragmatic approach to security, data breaches are going to become the 'new normal', leaving companies to deal with the inevitable fallout and impact on brand reputation. Every business is now contending with the interplay between making information instantly accessible to a range of users and keeping it secure against malicious attacks.”
The question I asked earlier in this article bears repeating; who’s to blame? Laroia believes, “Scattered content, regardless of where it is stored, poses a major security risk.” He also shared the ugly truth with us, which is the fact that most businesses are unaware which data set is sensitive. Therefore, they often don’t have sufficient measures in place to keep it secure. “Any security technology that is implemented to keep data secure cannot be effective unless it is clear what data is of value. For this reason, document classification must dovetail with security processes to identify, record, and potentially encrypt content in order to keep it safe both within and outside the firewall,” added Laroia.
As far as a security strategy goes, he suggested organizations to classify the most sensitive data assets, focusing on access, governance and policies around data retention: “Cybercriminals are becoming more sophisticated and organized when it comes to malicious attacks and employ a range of tactics to ensure maximum disruption and financial gain. In order to fortify defenses and remain resilient in 2017, rather than just implementing additional parametric security measures to protect all data, companies should start to carefully examine and qualify their content to determine what is sensitive and valuable.”
When it comes to mitigating those attacks, Laroia recommends organizations investing more resources in assessing and organizing all content (not just digital, but physical records that still hold value), and proactively removing data that is no longer relevant or important. As a result, he claims that businesses will be in a better position to withstand against cyber attacks.
When you look at cases like Netflix, HBO, and Sony Pictures, you may think that the buzz generated is an exaggeration because of popular culture, or when you look at the Panama Papers breach, you may think that uncovering dirty money transactions and corruption of public figures/world leaders is a great outcome after all. However, it could have been organizations who mean well that aim to secure people’s health records, financial data, and other sensitive personal information. Therefore, these data breaches should be a wake-up call to all industries.
All sensitive information from private transactions to a personal communication to intellectual property is a target. Organizations have to fully understand that cybersecurity is a fundamental component of confidentiality. Employing an alarmingly sloppy web security, communications policy and unpatched content management systems may result in loss of critical information as well as reputational and financial losses which produce very dramatic scenarios. In the advent of technology, many software providers out there take advantage of cognitive computing such as threat intelligence that is pooled so a defense evolved by observing one attack against one customer, becomes immediately available for all customers.