A cyber attack at Sony Pictures in 2014 resulted in the release of sensitive internal documents, the eventual ouster of the top executive and multimillion-dollar settlements with employees. Hackers struck again in 2016, this time targeting a post-production vendor of Netflix with a threat to leak unreleased shows if their ransom demand wasn’t met. The latest attack is against HBO, and hackers have upped the ante with a demand for millions of dollars to stop the leak of internal emails, passwords, salary information, stars’ phone numbers and scripts for Game of Thrones.
Experts say the increasing threat of these sophisticated cyber crimes should force Hollywood to take serious stock of its internal security measures. Andrea Matwyshyn, a law professor at Northeastern University and faculty affiliate at the Stanford Center for Internet and Society, and Brett Danaher, a professor at Chapman University’s Argyros School of Business and Economics, joined the Knowledge at Wharton show on SiriusXM channel 111 to discuss this form of internet piracy and its impact on the entertainment industry. (Listen to the full podcast using the player above.)
The following are key points from their conversation:
Cyber security is paramount.
When it comes to fighting cyber crimes in Hollywood, it’s a case of pay now or pay later. Matwyshyn said the entertainment industry is a prime target for hackers because the stakes are high, and those who work in the industry may not be paying close attention to internet security practices. It’s relatively easy to send a “phishing” email to a studio executive, advising them to click on a link. And just like that, hackers are in.
“We certainly do seem to have a series of these kinds of breaches of entertainment companies, and it does raise the question for me with respect to their internal security processes and whether they’ve in engaged with robust audits by third parties to help them find the gaps in their own security,” Matwyshyn said.
According to Matwyshyn, the fact that passwords were leaked in the HBO hack signals a deeper problem the companies have in managing sensitive, intangible assets. That’s why cyber security should be a top priority.
“It should be a giant, red flashing warning light to any similarly situated company that they need to stop everything and make sure that their systems are reflecting the state of the art of security,” Matwyshyn noted. “This is yet another clear warning of the importance of taking proactive steps to ensure you’re not an easy target of attackers of this kind to victimize you in avoidable ways.”
The business impact goes beyond leaked episodes.
Danaher recalled the Netflix hack that revealed unreleased episodes of the hit series Orange Is the New Black. The leak didn’t seriously damage the company because its business model is based on bundling. HBO works similarly, he said, so a leak of one or two episodes is unlikely to affect subscriptions. But that’s probably not what HBO is worried about.
“My guess is they would be much more concerned with the contents of these emails and any sensitive information being released,” Danaher said. “I think if we were talking about leaking an entire season of Game of Thrones in advance, you could be looking at a much more serious problem for HBO.”
The damage from piracy depends on what is leaked, how much is leaked and even the quality of the leak. According to Danaher, academic research shows the earlier a high-quality leak comes out, the more of a negative effect it has on revenues because of rampant piracy around the world.
“Then we talk about a situation where there’s a very clear cannibalization effect,” he said. “I think we are talking somewhere in the middle when there is a bundle, so there is some insulation from lost revenues. At the same time, you’re talking about the most prized product in the bundle.”
The effect that piracy has on public relations is also a concern for the companies.
“In a case like this, we don’t necessarily have episodes being available, but there’s a climate here where people are worried about the negative PR,” Danaher said. “What does this do to the perception of our brand?”
“Wall Street is starting to ramp up its engagement with security as a factor in valuing companies and their future prospects.” –Andrea Matwyshyn
Matwyshyn pointed out that HBO is owned by a publicly traded parent company, so the release of sensitive information could be damaging to the bottom line. “This could ultimately have an influence on share price and the subsequent deals that would contain these HBO assets as a key component of them,” she said.
There is also an implication for third parties that contract with the studios. If there are agreements for licensing, marketing or exclusivity that are breached by a hack, lawsuits and lost revenues are sure to follow.
“Wall Street is starting to ramp up its engagement with security as a factor in valuing companies and their future prospects,” Matwyshyn said. “If an entertainment company whose model is driven by exclusive provision of content, and the advertising revenues that that model generates are potentially threatened, the big-picture concern would be that share prices would be negatively impacted in the long term because of those security concerns.”
Cyber attacks will continue as long as they are effective.
As long as hackers stay a step ahead of information technology departments and government regulators, internet piracy will rage on. In the Netflix attack, the company said it did not give in to the hackers’ demands. But Danaher said there are probably a number of untold stories of companies that have paid ransoms.
“If this happened to a major blockbuster and you told me how many days early that movie was going to leak, I could estimate for you about how much it was going to lose in the box office or in DVD sales as a result, and those numbers could easily be in the millions or in some cases tens of millions,” he said. “So, it wouldn’t surprise me to know that the demand has been met before if the actual content rather than just scripts have leaked.”
Both Danaher and Matwyshyn said it is imperative for the industry to work together to shore up security in advance of a threat. A cultural shift is needed to move the industry from a traditional reliance on subsequent litigation to proactive trouble-shooting.
“As one of my engineer friends is very fond of saying, ‘A breach strategy does not involve engineers running down the hall screaming.’ It involves having a process that is rigorously applied before you have any kind of security problem,” Matwyshyn said. “And make sure your systems are patched with a vigorous and expeditious process by a security team that has adequate resources, with oversight from the C-suite all the way down so that the whole structure of your company reflects a good culture of security and keeping control of your intangible assets — particularly when they are the crown jewels of your company.”