They say April is the cruelest month, but HBO may beg to differ. The company kicked off August with an apparently massive breach of its servers, in which hackers pilfered everything from full episodes of unreleased shows to sensitive internal documents. Not long after, in separate and distinct incidents, two episodes of Game of Thrones leaked out early. And Thursday, hacker group OurMine hijacked HBO’s main Twitter account, along with those of several HBO shows. It’s been a hell of a couple of weeks.
But HBO’s rocky patch of hacks and leaks also serves as an important reminder of just how hard it is for any company to lock things down these days. While the attacks blur together, they’re in fact four distinct incidents, each with their own set of lessons.
“They have some supply chain issues, they have malicious insiders, they had accidental insiders, they have an account compromised,” says Richard Ford, chief scientist at security software company Forcepoint. “It crosses a range of issues that highlight the challenges that a big organization like HBO faces.”
Focusing on the variety of threats out there doesn’t just provide some much-needed clarity around HBO’s current dilemma—it may help other companies prevent a similar mess down the road.
HBO’s trouble actually began at the tail end of June, when hackers identified only as Mr. Smith dropped four unreleased episodes of HBO shows—including one, Barry, not slated to debut until next year—as well as the script to an unreleased episode of Game of Thrones. They suggested they had 1.5 terabytes of HBO data in total, ranging from more shows to financial statements and other sensitive documents.
A week later, the same person or group followed up with a ransom note demanding millions of dollars in exchange for the leaks to stop, as well as a screenshot to a file directory that implied they had access to either information about or episodes of shows like Curb Your Enthusiasm and Insecure.
Here’s where things get a little confusing. In between those two hyped hacker releases, a full episode of Game of Thrones leaked two days before the air date. It came not from Mr. Smith, as one might have assumed, but from four men in India who allegedly smuggled the episode out of Prime Focus Technologies, a company that works with Star India, which carries HBO in that country.
While not a traditional attack, in which hackers breach a system, the Star India heist represents an increasingly common scourge for the entertainment industry and beyond: The not-quite-inside job. However secure HBO can make itself, it has little say in how Star India protects its data, and even less in what Prime Focus Technologies does.
“The whole business model today has exacerbated the insider threat, because there’s a lot more insiders,” says Stephen Cobb, senior security researcher at ESET, a global IT security firm. “If you sit down in a movie theater at the end and watch the thousands of people involved in that movie, most of them don’t actually work at Paramount, or Sony, or whoever’s name is on the picture… You’ve got a lot of people having access to property which is very valuable.”
HBO’s in no way alone in this; Netflix recently faced—and declined—a ransom shakedown when hackers lifted episodes from the upcoming season of Orange Is the New Black from a third-party production studio. And the ease with which unscrupulous employees can smuggle that property out of the building exacerbates the issue.
“If you look at what is involved in an insider leaking intellectual property, it used to involve physically carrying something out of the building that was big and heavy. Or in the case of a movie, a can of film,” says Ford. “Now it’s a file transfer.”
Taken together, the Mr. Smith hack and that initial Game of Thrones leak would have already constituted one of the most high-profile month of security lapses the entertainment industry’s recent history. But remember, that was just week one. Two lesser—but still damaging, and embarrassing—trip-ups still followed.
On August 16, HBO played itself. In an incident unrelated to the Mr. Smith hack, or the Star India leak, HBO Nordic and HBO España aired this Sunday’s episode of Game of Thrones for an hour—plenty of time for it to land on torrent sites.
“The error appears to have originated with a third-party vendor and the episode was removed as soon as it was recognized,” said HBO Europe spokesperson Tom Nielsen in a statement. The key phrase, again, being “third-party.”
Lastly, or at least most recently, came the OurMine hack. The group caused minimal damage, leaving a message that read, “Hi, OurMine are here, we are just testing your security, HBO team please contact us to upgrade the security.” HBO regained control of its account within an hour.
“The infringement on our social media accounts was recognized and rectified quickly,” says HBO spokesperson Jeff Cusson.
But the OurMine incident, in addition to adding literal insult to injury, also shows two distinct types of security threats.
‘You’ve got a lot of people having access to property which is very valuable.’ —Stephen Cobb, ESET’
First, companies under fire tend to draw attention from other hackers. Sony, for instance, suffered 20 breaches in two months following its devastating 2014 hack.
“Any high-profile hack will create elements of a dogpile and copycat, if we want to include both dog and cat in our analoty,” says Cobb. “That organization is suddenly in the limelight. You also have copycats, where you have people out there saying wow, some of these big studios don’t have perfect security.”
On a more practical level, the OurMine Twitter takeover offers a textbook example of credential-stealing, a pervasive attack that can cause a lot more damage than just social media exposure.
“Spearphishing attacks are increasingly common and with the right amount of reconnaissance on the target, they can be the quickest way to obtain credentials for email accounts, cloud storage or even social media profiles,” says Jérôme Segura, lead malware intelligence analyst at security firm Malwarebytes. It’s unclear if OurMine used that method specifically, but it seems like a likely route.
Six Feet Under
If any silver lining can emerge from HBO’s stormy few weeks, it may be that it illustrates just how many attacks a company has to defend against—and how to deal with them when they do occur.
“What you’re looking at here, with a digital business like HBO, is an ever-expanding attack surface. You have complexity, you have applications, third-party partners, social media,” says Jeff Pollard, security analyst at Forrester Research. “Any one of those could be the pathway for an attacker to get in.”
As HBO has learned, defending against all of those threats simultaneously can feel a bit like defending King’s Landing against dragons and White Walkers and whatever Little Finger’s up to. But it’s at least possible to adopt a mindset that helps minimize the damage.
“From a defense standpoint, it’s all about being able to protect your data wherever it’s gone, and understanding how that data is ultimately leaving your control,” says Forcepoint’s Ford. “A lot of the time in security we’re focused on inbound, we’re very threat-centric. But looking outbound, protecting that data wherever it is, is a paradigm shift we’d do well to execute on.”
Otherwise, absent more details about how the Mr. Smith hack happened in the first place, the best steps to take are also the simplest.
“The majority of the time, the lessons that are learned from these sort of events is that basic security principles and basic security hygiene are often not followed,” says Pollard. Even a step as using two-factor authentication, for instance, could forestall potential Twitter takeovers.
Ultimately, the HBO hacks have proven less severe than what Sony suffered three years ago. Personal emails have not been publicly aired, and the leaks of shows so far don’t seem to have put a dent in viewership. A very bad month has not turned as catastrophic as it first seemed it might have.
Then again, we’re only two weeks in.