How Hollywood Got Hacked: Best Practices to Secure Creative Content
Articles by: Richey May, Mar 10, 2020
It’s a fact – Hollywood is being targeted by cyber criminals. According to Verizon’s 2019 Data Breach and Investigation Report (DBIR), the entertainment industry had the second greatest number of incidents, following the public sector.
Prior to the infamous 2014 Sony Hack, the number of breaches and hoaxes in the entertainment industry that reached public notice were far and few between. Since the targeted attack on Sony Pictures (allegedly carried out by North Korea), the number of newsworthy hacks on studios, productions, and vendors has exponentially increased.
In late 2016, one of the more infamous hacks shocked Hollywood sending a ripple effect that forever changed the industry. It wasn’t a large studio breached by a nation-state hacking group, but a small, family owned post-production company. Rather than targeting a major studio with mature cybersecurity controls, hackers were able to compromise this smaller target, which was working on pre-released footage from Orange Is the New Black (OITNB). Hacker group “TheDarkOverlord” claimed ownership of the breach and demanded hush money to keep the entire season from being uploaded to torrent sites. Seeing as OITNB boasts an estimated $49 million in production value (per The Montley Fool), it’s obvious why this change in tactics by the hackers might worry studios that rely on smaller vendors to produce content at various stages.
In 2017, hackers claimed to have possession of Pirate Of The Caribbean: Dead Man Tell No Tales demanding a hefty ransom to keep the film from being torrented. There are mixed reports as to whether this hack was a hoax or paid off, but it’s evident that hacking groups are realizing Hollywood is ripe for cyber extortion.
Later in 2017, The CEO of Line 204, a Hollywood based audio company, confirmed they were victim of a cyberattack costing the company over $600,000. Once again, TheDarkOverloard claimed ownership of the 1TB+ of data stolen, which included bank deposit information, customer credit cards, and other personal information tied to celebrities. This attack highlighted that content isn’t the only thing that needs protecting within the studios and their networks of vendors.
With movies like Avatar involving over 100 vendors in production and grossing nearly $2.8 billion worldwide on a budget of over $400 million, it’s no wonder why studios are cracking down on laxed vendor security practices worldwide (The-Numbers.com).
Research shows that there’s a direct correlation between piracy and motion picture studios revenue. In 2014, the International Journal of Industrial Organization analyzed the impact of Megaupload and associated sites being shut down correlated to digital revenues for three major motion picture studios. The results were an astonishing 6.5% to 8.5% increase in digital revenues after these major piracy channels were closed.
In 2018, The Motion Pictures Association (MPA) and Content Delivery & Security Association (CDSA) formalized a joint venture: The Trusted Partner Network (TPN) to provide third-party security assessments to help vendors prevent leaks, breaches and hacks like the ones mentioned above.
The TPN framework is derived from the MPA Content Security Best Practices and member studios, which outlines recommended security benchmarks around management systems (e.g. policies and procedures), physical security (e.g. alarm systems and door locks), and digital security (firewalls and vulnerability scanning). While the TPN and MPA Content Security Best Practices are unique to the entertainment industry, our cybersecurity team has seen and audited against similar frameworks in other cyber-mature industries such as Mortgage Banking for nearly 30 years.
The 90+ page MPA Content Security Best Practices Common Guidelines document can be daunting at first glance, especially for smaller companies with fewer IT and Cybersecurity resources. To reduce your struggle with TPN compliance, Richey May Technology Solutions has outlined some simple best practices to get started on your journey to a more secure creative community.
Best Practice #1 – Find a Trusted Advisor
There are no secrets, the MPA Content Security Best Practices Common Guidelines document is publicly available for all to see. The secrete sauce becomes navigating the ambiguity and execution at speed. For example, MS-4.0 of the MPA Content Security Best Practices Common Guidelines requires an incident response policy, however the level of detail, depth and sections of an incident response policy are not defined. There’s no one-size fits all policy as scope, complexity, and workflow play key roles in the effectiveness of a cybersecurity policy. Further, as policies change it’s best to work with veterans in the industry who understand multiple frameworks the TPN draws from.
Best Practice #2 – Find Out Where You Stand
In other industries, Richey May Technology Solutions provides Cybersecurity Maturity Assessments to provide clients with a clear understanding of their level of compliance compared to regulations, standards, and best practices. In the entertainment industry, a TPN readiness assessment goes a long way before a real assessment report is made available to studios. A TPN readiness assessment allows vendors to see where they stand today compared to the MPA Content Security Best Practices Common Guidelines, allowing them the opportunity to make necessary security upgrades before a certified TPN Assessor makes an official visit. Even if you’re not in the market for an official TPN Assessment, a readiness assessment will help give you the confidence in knowing how you’d standup against a cyberattack tomorrow and help you be prepared for any opportunities to work with cybersecurity aware studios in the future.
Best Practice #3 – Prioritize & Chip Away
Once you have a clear understanding of your cyber maturity and how you compare to industry standards, create a list of tasks based on degree of risk reduction. For example, installing antivirus software on all computers would lower your overall risk more than ensuring your local FBI field office’s phone number was included in your incident response policy. A good TPN readiness assessment should produce a detailed “to do” list for each area where your security controls deviate away from the MPA Content Security Best Practices Common Guidelines. Once a gap list is created and sorted based on impact to overall impact on risk, begin chipping away at tasks, assigning the low hanging fruit to capable personnel – outsourcing to a trusted advisor when needed.
Our team at Richey May Technology Solutions is ready to help you get started on a cybersecurity assessment any time! Our Media and Entertainment focused team can help you build a plan to protect your content and data.
Contact us to get started!