Business Lessons of the HBO Hack

What Happened

Last week, HBO learned of the threat from beyond the Wall – or at least the firewall. On July 31, the entertainment giant confirmed that it had been the victim of a data breach; the same day, numerous reporters received an email, allegedly from the hackers themselves, who claimed to have stolen 1.5 terabytes (1,500 gigabytes) of data from the network.

“Hi to all mankind,” the email opens, followed by an ominous threat, rife with syntactic errors: “The greatest leak of cyber space era is happening. What’s its name? Oh I forget to tell. Its HBO and Game of Thrones……!!!!!! You are lucky to be the first pioneers to witness and download the leak. Enjoy it & spread the words. Whoever spreads well, we will have an interview with him. HBO is falling.”

The attackers have a surprising amount in common with the myriad of enemies in HBO’s flagship program, Game of Thrones: they’re mysterious, unpredictable, and don’t seem to have a solid grasp on language conventions.
Security experts are still trying to understand the extent of the damage. Thus far, the hackers have leaked information in two separate releases. First, they tweeted out a link to the script of a new episode; then, on Monday, they dumped about a month’s worth of email communications between company executives. If the attackers stole 1.5 TB of raw data as they claim, it would make the cyber attack historic in scope. In the infamous 2014 Sony Pictures breach, by comparison, hackers stole roughly 200 GB of data. That breach resulted in several feature-length films and internal email databases being dumped onto the web.
HBO isn’t the first media organization to be targeted by enterprising cyber criminals. In April, the streaming titan Netflix was subjected to an embarrassing series of hacks, wherein attackers made off with whole episodes of its hit original series Orange is the New Black – right before the new season was set to debut.
Adding to HBO’s woes is the fact that a partner distributor, Star India, accidentally leaked Game of Thrones Episode 4 in advance of the episode’s premiere on Sunday. This was unrelated to last week’s intrusion.
All Data is Valuable

An important lesson in digital security is that all companies are potential targets of hackers and leakers. All modern companies possess data that is valuable to attackers. Intellectual Property (IP) can be as valuable as PII (Personally Identifiable Information) or PHI (Protected Health Information). The HBO case demonstrates that malicious actors are even interested in entertainment programming data to grab headlines, notoriety, and induce havoc. Since hackers have unpredictable motives, if you consider your company immune to cyber bad actors, think again. Your attack surface may be larger than you realize.  
Richard Plepler, HBO’s CEO, recognized that modern companies have entered a new business era, one in which cyber risk is another enterprise risk that businesses must contend with: “The problem before us is unfortunately all too familiar in the world we now find ourselves a part of…”
Have a Communications Plan

HBO audiences know that, “when you play the game of thrones, you win or you die.” The game of breaches has similar high-stakes and organizations should have a communications strategy in place from the outset to manage the intense fallout from a cyber breach. HBO failed to think through their communications strategy and even erroneously responded to their viewers concerns. Last week, before the conclusion of their internal forensic investigation, the company suggested that no internal emails had been stolen. Unfortunately, that claim proved to be inaccurate. While it may be tempting for companies to immediately assure their stakeholders, organizations experiencing a breach should make sure all investigations are concluded before they share definitive details. Companies and their professional communication teams need to balance being transparency with authenticity. Misinformation can be as damaging as no information at all. A formal communications strategy will help dictate what information gets shared and when.
Reputation is Valuable

The financial cost of the HBO hack is still being calculated. Even if the financial impact on HBO is nominal, the hack is still significant because it represents the vulnerability of a cable giant at the hands of a malicious few. The hack jeopardizes HBO’s image, reputation, and customer confidence. HBO customers could think, ‘If HBO can’t secure its most valuable assets [its crown jewels], then could my financial data be at risk? What other data was lost in the leak?’ Public scrutiny and embarrassment can be as damaging as the loss of PII or PHI because it undermines companies’ hard-earned customer loyalty and trust.
Winter is Coming. Are You Ready?
If this happened to your organization, would you be prepared? To learn more about the unique risks your industry faces, contact us to schedule a Cyber Resolve training session for your board or executive team.