HBO Hack Illustrates That It’s Hard to Tell Exactly What’s Been Compromised

by

There may be much more missing than the headlines suggest.

Some 30 million people watched the Season 7 premiere of “Game of Thrones,” according to its creator, HBO. It’s one of the hottest media properties in years.

The popularity of the show, and HBO’s other properties, made HBO the perfect target for attention-hungry hackers who breached HBO’s systems this summer and made off with a script for a future episode and a reported 1.5 terabytes of other information–an astounding amount of data. By comparison, the 2014 Sony hack, which disclosed troves of embarrassing corporate emails and led to the departure of the company’s co-chair, was 200 gigabytes. The HBO breach is roughly seven times larger.

The size of the breach made us question – is this incident more than a spoiler for Game of Thrones and unreleased episodes of several other HBO shows?  Or did the hackers have something else in mind?  And it points out a sobering fact about many cybersecurity breaches: despite the best forensics, it can be hard to quantify their scope and know the true boundaries of what data has been taken or otherwise compromised.

The question was answered a few days later when the hackers demanded a multi-million dollar ransom to prevent the disclosure of more episodes of more shows and damaging emails and other information – and, to prove their point, released personal phone numbers of Game of Thrones actors, emails and scripts.  HBO and the hackers are now in negotiations, with the hackers demanding “our six-month salary in bitcoin”, claiming they earn $12 to $15 million  a year from blackmailing organizations whose networks they have breached.

The motives of the hackers, interestingly, appear very businesslike – they claim to spend $500,000 a year purchasing zero-day exploits that let them break into networks through holes not yet known to Microsoft and other software companies, so their demands are simply an attempt to recoup their cost of doing business.

But there are secondary motives that may also be at play. Hacks can move stock prices, affect corporate leadership (Sony Pictures Entertainment co-chair Amy Pascal ultimately stepped down following the leaks), and distract a company during a crucial time, such as a merger or acquisition. And breaches with certain companies, such as health care facilities, financial institutions and professional services firms, erode trust among customers and potential customers.

Cyber breaches can also bring notoriety to the hackers. The criminals in the HBO breach clearly wanted attention.

And as recent revelations of Russian meddling in the 2016 U.S. presidential election have brought to light, there can be political motivations. In the Sony case, the Obama Administration pointed to the North Koreans, who hacked Sony in retribution for releasing “The Interview,” a comedy critical of North Korea.

Whatever the motivation, the HBO breach brings to mind a key “known” in cybersecurity defense, and that is that there are many “unknowns,” and they deserve respect.

  • Scope. In my experience, breaches are often initially low-balled. For example, a company will say that 100,000 files were accessed. Shortly thereafter that becomes 250,000, and after forensics have dug around it’s suddenly 1 million. It is unwise to underestimate the extent of the breach.
  • Timing. It can sometimes be difficult to tell when a breach began. That makes it tricky to identify the exact vulnerabilities, and how much data has been compromised.
  • Latency. It’s impossible to know how long a hacker will sit on compromised data before attempting to profit from it. This complicates remediation efforts, and makes it difficult to rebuild trust with consumers.
  • Motive. Your data undoubtedly has value, both to you and perpetrators. But it gains even more value when combined with other data the hackers may have, increasing the attractiveness of what a company might dismiss as seemingly innocuous information. This leads to a danger sense of complacency.
  • Debris. Cunning hackers will not be satisfied with a one-time hit. Some try to leave bits of code that will make it easier for them to reenter your system. For those that breach systems for the thrill of it, this is an irresistible challenge.

It’s natural for a company to want to quickly quantify a breach and reassure employees, customers and business partners that they are on top of the situation. 1.5 terabytes is an extraordinary amount of information. If it was easy to know what had been taken, HBO would have discovered the breach before the hackers announced it. To be fair, HBO may have, though it made no announcement to the public or its employees. We can’t know, just as it is difficult to know everywhere a hacker has been in your system, especially if they merely took a tour but not specific data.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.