adimas - Fotolia
Hackers who claim to have stolen 1.5TB of data from US television network HBO have released episodes from the upcoming season of Curb Your Enthusiasm to pressure HBO to pay ransom.
The unidentified hackers have demanded their “six-month salary” in return for not releasing the bulk of the stolen data, claiming they collect up to $15m a year by holding organisations’ data ransom.
In an attempt to get HBO to pay the ransom, the hackers have released some data, including corporate emails, draft Game of Thrones scripts, unaired episodes of four other TV series, and personal details of actors working for the organisation, including phone numbers and addresses.
But despite reports that HBO offered a $250,000 bug bounty payment, the network has now issued a statement indicating that it does not intend to pay the hackers.
“We are not in communication with the hacker and we’re not going to comment every time a new piece of information is released,” HBO said in a statement to Variety.
“The hacker may continue to drop bits and pieces of stolen information in an attempt to generate media attention. That’s a game we’re not going to participate in.
“Obviously, no company wants their proprietary information stolen and released on the internet. Transparency with our employees, partners and the creative talent that works with us has been our focus throughout this incident and will remain our focus as we move forward. This incident has not deterred us from ensuring HBO continues to do what we do best,” the statement said.
Read more about cyber extortion
- Cyber extortion is a growing threat to companies around the world, but the extent of the practice is largely hidden because many firms just pay up and keep quiet, say security experts.
- The 2014 Sony Pictures hack highlights the importance of responding appropriately to email extortion.
- Cyber extortion gang DD4BC is using social media campaigns to garner more attention for its ability to create service disruptions by publicly embarrassing large organisations.
Security commentators say that extortion is emerging as a popular way of making money among cyber criminals and the past few years have seen a steady increase of the practice.
Cyber extortion includes demanding money in return for stolen data like the HBO case, threatening to carry out denial of service (DoS) attacks if ransom is not paid, or encrypting data using malware known as ransomware and demanding payment for the decryption key.
In the light of this trend, organisations are advised to ensure that they are able to mitigate DoS and ransomware attacks as well us up direction protection of all critical data using encryption.
Organisations are also advised to ensure they have the capability to detect and block previous unseen malware also known as zero-day attacks.
According to the HBO hackers, they spend $500,000 a year purchasing zero-day exploits to break into networks, such as the EternalBlue exploit that was a key feature of the WannaCry ransomware that affected more than 200,000 computers in 150 countries in May 2017.
Online streaming exposing entertainment companies
Security commentators say that with firms such as HBO and Netflix increasingly streaming content online, cyber attacks on entertainment companies have become a firm trend.
The HBO hackers have claimed it took six months to access the TV network’s IT systems and that HBO is the 17th organisation they have compromised and held to ransom.
But law enforcement organisations generally appear to advise against payment of ransoms because that only serves to entrench the extortion method and help fund criminal operations.
In 2016, hackers calling themselves Dark Overlord breached a Hollywood production company and stole unreleased shows from Netflix, ABC and others, threatening to release the stolen content if their ransom demands were not met.
Despite the production company reportedly paying $50,000 in ransom, some of the stolen content was leaked, including an unreleased season of Orange Is the New Black from Netflix.
HBO’s tough stance may be on the advice of US law enforcement. The network has previously indicated it is working with law enforcement and a cyber security investigation firm.