On July 31st, the public learned that HBO was the victim of a cybersecurity breach. The popular premium cable channel had a large amount of data stolen, including scripts from five Game of Thrones episodes, a month's worth of email from the account of Leslie Cohen, HBO's Vice President for Film Programming, and internal documents, including a report of legal claims against the network and job offer letters to top executives. Hackers then made clear that they would begin to leak this information unless their ransom was paid. All they wanted in return was several million dollars.
While we see this type of extortion (i.e. ransomware) often, we don’t normally see a multimillion dollar ransom. HBO refused to pay the hackers, which resulted in more leaks. Last week, the hackers released an email from HBO which showed that the company offered the hackers $250,000. HBO framed the payment as a thank you for finding holes in their security, AKA a bug bounty.
While it makes sense for HBO to frame their email this way, they aren’t fooling anyone. HBO tried to pay a portion of the ransom (or at least bluff that they were going to pay) to end (or delay) the conflict before it went public. They failed.
Why HBO Would Attempt to Pay
While it is typically unadvised to pay criminals, there are certain circumstances that might warrant it. For instance, if a small business is hit with ransomware, and losing the captive data would cripple their business, it is worth finding out if the organization extorting you is known for following through on returning data after payment.
In the case of HBO, a multimillion-dollar company, many believe it wouldn’t make sense to bother paying the hackers. These people believe that whatever loss of money suffered because of the data leaks isn’t going to be nearly enough to damage the company.
However, it’s possible there’s more to the story that we don’t know that would give HBO good reason to consider paying the ransom. We don’t know exactly what data was stolen, we don’t know HBO’s strategy in negotiating with the hackers, and we don’t know the financial impact the posting of the stolen data could have on HBO.
It is very easy to encourage people not to pay the bad guys the ransom for your data. However, HBO could be risking millions of dollars in lost revenue, possible lawsuits over the exposure of executive compensation information, loss of talent who don’t like seeing their hard work pirated, damaged reputations for executives and the company itself, and have all this compounded by a hit to Time Warner’s stock (TWX). It is a far more layered situation than what is made public daily.
HBO is currently working with law enforcement and cybersecurity firms to investigate the hack.
How to Prevent This from Happening to Your Business
You know the drill: Be proactive – not reactive – with your cybersecurity defense.
Although HBO has more money than the average business – and likely have access to better security technology – they could be missing something that most businesses today lack: a complete buy-in of cybersecurity practices among employees. All it takes is one employee to click a phishing email and the ball begins to roll toward a data breach.
Cybersecurity expert Oren Falkowitz, CEO of Redwood City, Calif-based Area 1 Security spoke to USA Today about how this might have helped HBO:
“Paying ransoms to hackers can be dangerous because it shows that being a bad-guy hacker is a good business. Companies would be better off investing in preventing email spear-fishing attempts and other hacking techniques. The reason they got in this scenario is they didn't have the right pre-emption strategy. The next company, whether it's Showtime or Death Row Records or whomever, needs to see that they're going to wake up one day to this reality unless they confront it.”
Cybersecurity is more than fancy technology or great IT people; it’s about cultivating a culture of shared responsibility for security awareness. Until companies find a way to get each employee on board with security, we will continue to see major hacks plague businesses.
Written by Nik Vargas