HBO Hack Takeaway: The Pluses and Minuses of Playing Hardball With Ransomware Attackers

Posted on August 22, 2017 by Tony Kontzer

It's hard to stonewall hackers who are threatening to share sensitive data they've stolen about customers and employees on the dark web if they don't receive a ransom. The prospect of calling the bluff and risking the violation of customers' and employees' privacy understandably causes many companies to cave.

But when the stolen data being released is unseen television shows — still an admittedly valuable piece of intellectual property — a company's resolve apparently strengthens.

Look no further than HBO, the victim of a well-documented hack a few weeks ago in which Game of Thrones scripts, financial documents and even entire episodes of other shows were swiped. After reportedly offering a $250,000 "bug bounty" to the hackers as more of an IT security consulting fee rather than a ransom, the network subsequently chose to take a hard line with the culprits, refusing to pay the nearly $6 million that's been demanded. And as it's dug in its heels, it's paid a steeper price, as the hackers continued to release more data earlier this week, including unseen episodes of the coming season of Curb Your Enthusiasm.

And that, in turn, only caused HBO to ratchet up its resolve a bit, essentially channeling Dirty Harry. It hasn't literally said, "Go ahead, punk, make my day," but it might as well have.

"The hacker may continue to drop bits and pieces of stolen information in an attempt to generate media attention," the network said in a defiant statement released after the Curb leak. "That’s a game we’re not going to participate in.”

The case represents a potentially important precedent for how future hacks of non-personal intellectual property might play out. Unlike hacks (and subsequent leaks) of personally identifiable information, which force companies to consider the impact on those whose personal data is in play, the theft of IP that doesn't expose personal information gives the victimized company more choices in how to respond.

In HBO's case, the network decided (after apparently having its initial low-ball security consulting offer rejected) that the risk of having full episodes of shows leaked was one it was willing to assume, presumably because it feels its fan base is devoted enough to watch the eventual broadcasts regardless. And when a company has an opportunity — and the mettle — to draw a line in the sand, that's precisely what it should do, provided it accepts the possible consequences.

Along those lines, HBO may have unwittingly drawn a more prominent target on its back in its standoff with the hackers, as the notorious group OurMine appeared to have taken over HBO's Twitter account for some period of time on August 16. The OurMine hack didn't reach beyond the posting of a few ominous messages scolding the network for its lax security protocols, but it sent a clear message that HBO has some serious security holes to address.

HBO hasn't commented on the OurMine hack, and it may choose not to. But make no mistake: the network's executives are surely huddling to discuss how to respond to their apparent security crisis. And they are no doubt looking at how to better circle the wagons around whatever PII they possess.

Therein likes the wildcard in hacking scenarios that are focused on IP. Yes, after its initial offer, HBO chose to fight the good fight by refusing to cave in to ransom demands when no one's actual well-being was at stake. But the risk in doing so is that the company's PII might be next on the hit list. Hell hath no fury like a hacker scorned.

HBO need only look elsewhere in its industry to how theft of its PII might play out. The infamous 2014 Sony hack, which resulted in the leak of thousands of employees' personal data, ended up costing the company millions to settle a class-action lawsuit filed by its employees. And in the process, it sullied Sony's reputation and forced the company to engage in a lot of damage control, as well as take a hard look at its security measures.

To date, HBO isn't facing the kind of PR nightmare that Sony was forced to confront. Here's hoping that the company embraces the lessons of its recent hack to ensure that it never has to.

Contributors

Tony Kontzer

, RSAC

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.