The COVID-19 pandemic is hitting the entertainment industry right in the wallet. Theaters are closed, theatrical releases are postponed, and production of most movies are shut down globally for the time being. But Hollywood also has another thing to worry about: theft of intellectual property and private information at the hands of hackers.
This problem has taken the spotlight this month as several A-list celebrities, including Lady Gaga, Elton John, Robert DeNiro, and Madonna, find themselves at the center of a ransomware attack. A variant known as REvil ransomware recently hit their media and entertainment law firm, Grubman, Shire, Meiselas and Sacks, and attackers are now threatening to release up to 756 GB of stolen data in staged releases. The data includes confidential contracts, personal messages, email addresses, phone numbers, and other private, sensitive information belonging to many celebrities.
This is certainly not the first time celebrities have been targeted by hackers seeking financial gain in exchange for keeping private information private. Everything from private emails to nude photos belonging to celebs have been stolen and released to public eyes in the past few years.
And since criminal creativity has no limits, thieves also target IP for maximum extortion potential. For example, in 2017 a hacking group calling itself The Dark Overlord posted 10 unreleased episodes of Orange Is the New Black in 2017. This was done despite a $50,000 Bitcoin ransom payment made to the criminals to keep the series from being leaked. Also in 2017, hackers threatened to release Pirates of the Caribbean: Dead Men Tell No Tales unless a Bitcoin ransom was paid. These are just a few examples.
"The entertainment industry is under constant attack from people trying to steal their IP," says Chris Taylor, director of the Media and Entertainment Information Sharing and Analysis Center (ME-ISAC). "It comes in a variety of forms. The most obvious is piracy, where movies and TV shows are released on the Internet, sometimes even before they've been seen in theaters. Some of these thefts are physical, where an insider shares a copy of a DVD with a friend or someone sneaks a camera into a screening, but much of it occurs digitally, where a data breach leads to content being stolen and then released online."
The Plot Thickens
Today, with many shows and movies being written and worked on outside studio walls due to the pandemic, work-from-home arrangements may only exacerbate the privacy issue: Given a 24/7 mobile device culture, the issue of digital theft of IP has been a problem for several years, long before the coronavirus hit, according to Chris Pierson, CEO and founder of Black Cloak, which provides a concierge set of cybersecurity services to celebrities, high-net-worth individuals, and corporate executives.
"For most high-profile individuals, their IP goes layers beyond what they have," Pierson says. "It also extends out to the lawyers, the producers, the writers, the directors. Many of these individuals are well-to-do and have a vast treasure trove of information on their devices. And they are creative and don't stop. They are always thinking and collaborating on personal accounts and on personal devices. Many times they are doing things in and at the home, which is why the home as an attack point is high."
Pierson points to the Sony hack in 2014, where hackers hit film studio Sony Pictures and released personal information about company employees, including e-mails about then-unreleased films. Information about plans for future Sony films, scripts for unreleased films, and other information also became public.
"That wasn't just a hack of Sony email," Pierson says. "[Hackers] were after IP. They grabbed documents on things that make movie studios millions of dollars. Once they have a script, the cat's out of the bag. The attack surface is no longer just the corporation. They can't just protect what falls within the walls of the company anymore. They need to protect the soft underbelly of that process, and that is the homes of the people, like the directors, the producers, the writers, etc."
Leaking precious plot lines and endings is not a new phenomenon. When Dan Swartwood served as director of information safeguarding for The Walt Disney Co., Lost was the most popular show on TV. The social media fandom at the time was so intense, some dedicated spoilers had moved to the filming location in Hawaii to follow production around the island with the intent of finding out endings early to release that information to the public.
In response, Swartwood and his team also headed to Hawaii and employed a number of strategies to throw off spoilers – including shooting multiple endings and paying actors to wear fake costumes that would never actually appear in the show to get tongues wagging in the wrong direction.
Now, 10 years after the final episode of Lost was shown, Swartwood says protecting IP and show and movie leaks is still a complicated problem – mainly because organizations aren't properly staffed to handle it and are approaching it with the wrong mindset. It is a problem that extends far beyond IT and the CISO.
"Most studios have security for physical security and theft control," Swartwood says. "The IT departments think they should be in charge of IP protection because they control the digital environment. They are not staffed with the right people to translate your output into actionable and understandable process modifications. IT people talk to other IT people. Rarely do they interact with company leaders except at the highest levels."
Pierson says security leaders hoping to educate high-profile targets simply need to apply the same advice all end users receive about avoiding compromise.
"It comes down to basics: making sure you have anti-malware, dual-factor authentication, encrypted passwords. Making sure the Wi-Fi at home is locked down," Pierson says. "Even if high-profile people just do those things alone, they will greatly minimize their risks. It isn't like this population is so special that they have different kinds of people trying to attack them. They do lead different lives, but most of these basics are still applicable to them."