It happened to Disney. It happened to Netflix. And it’s going to happen again — because Hollywood has a hacking problem.
As studios and networks put their movies and shows into the hands of consumers on more platforms, they face the pressing challenge of how to keep their content out of the hands of hackers, according to Grady Summers, chief technology officer at information security firm FireEye.
Identifying the issues
Hackers, he said, are “waking up” to security weaknesses in some of the companies studios partner with on services like editing and special effects.
Hackers gain access to unreleased movies and shows through weakly secured servers and storage devices, then try to extort a fee from studios and networks with threats to make the stolen content available prior to its scheduled release.
“Hackers have realized you might have a very well-funded security program at a Disney or Comcast, but if you step down the supply chain, you’re going to find a special effects crew or a sound editor who doesn’t have good security,” Summers told CNNMoney. “That’s exactly what they’re aiming for.”
One such company is believed to have been the point of entry for a hack last month that affected Netflix and its latest season of “Orange is the New Black.”
Back in April, an anonymous hacker followed through on a promise to release episodes from the upcoming season of the Netflix prison dramedy after, they claimed, Netflix refused to pay a ransom.
At the time, the streaming giant told CNNMoney it was “aware of the situation” and had contacted law enforcement authorities.
An FBI spokesperson told CNNMoney it “does not encourage ransom payments as it keeps the criminals in business.”
“Ultimately, that decision is up to the victim, however,” said the spokesperson, who noted that in “many cases” a paid ransom does not resolve the issue.
Netflix had no additional comment when reached on Tuesday.
This week, Disney became the latest victim of content extortion.
A source from ABC, a division of Disney, confirms to CNNMoney that Walt Disney CEO Bob Iger said in an ABC meeting this week that hackers claimed to have stolen a film and demanded a ransom. Iger said Disney has not paid any ransom.
The film has not been identified. Disney had no comment.
What’s next
Summers, who spent more than 17 years at GE working on security issues across the company, including NBC, said there are measures studios and networks can take to protect themselves.
He suggested performing security audits or adding safety mandates to contracts to help combat breaches in different stages of production. But those measures can come with a price that’s often not easily absorbed by the small to mid-sized companies that major entertainment studios rely on.
“When you’re a small company that has maybe a half dozen IT people and a part-time security person, you don’t have the types of resources to defend yourself against almost a military-grade attack,” Summers said. “In many cases, the tools these attackers are using are the same ones they’d deploy on the Department of Defense.”
Breaches of any type are costly, between legal fees and the cost of hiring security firms to do “clean up.” Costs can easily reach into the millions, not including potential revenue losses, Summers said.
Sony paid $8 million alone to settle a class-action lawsuit with employees, stemming from the infamous December 2014 incident at the hands of hackers with links to the North Korean government.
Hacking is not exclusive to Hollywood. On Friday and through the weekend, a ransomware worm infected 300,000 machines in 150 countries around the world. Weak links in businesses’ security infrastructure let hackers compromise sensitive computers and hold data for ransom.
Even the federal government has experienced major data breaches. Hackers stole data on more than 21 million people from the Office of Personnel Management in 2015, and earlier this year, attackers accessed data on up to 100,000 people to steal tax information.
The FBI recorded 2,673 victims of ransomware attacks in 2016, with more than $2.8 million in adjusted losses.
In Hollywood, data, too, has value to hackers.
The Hollywood Reporter recently reported that there have been at least a half-dozen attempts to extort entertainment companies in the last six months.
Summers sees this trend continuing.
“I expect to see a lot more of this over the coming year,” he said. “This is a cycle we see in security where attackers will often go after a vulnerable entity and exploit that. Sometimes it lasts a year before the industry really wakes up to the reality of what happens if you don’t put the right controls in place, and it’s unfortunate.”
CNN’s Dylan Byers, Selena Larson and Megan Thomas contributed to this report.