Ten years ago, a hacker group calling itself The Guardians of Peace released a trove of internal communications and data from Sony Pictures. Its demand? That Sony pull an upcoming film, The Interview, in which Seth Rogen and James Franco played journalists trying to secure an interview with Kim Jong-Un.
What followed became an international story and led to the eventual departure of some Sony executives over the embarrassing contents of their communications.
Earlier this month, the hacktivist group NullBulge, which says it chooses its targets based on “protecting artists’ rights and ensuring fair compensation for their work,” dumped a terabyte’s worth of data from The Walt Disney Co., including communications from internal Slack channels, images, logins and other data.
“Have fun sifting through it,” the group told visitors to its website.
To be sure, the 2024 Disney hack is no 2014 Sony hack. While the Sony hackers appear to have had a very specific goal (getting a controversial film shelved), the Disney hackers seem to have more quixotic motivations (an antipathy toward artificial intelligence-generated art, for example).
But in many ways, the new hack is emblematic of a concerning, growing trend that has hit many companies in the media and entertainment sector.
In just the past few months, Roku suffered a breach impacting hundreds of thousands of user accounts, and Ticketmaster owner Live Nation disclosed that a hacker group obtained data from more than 500 million of its customers. Earlier in July, AT&T disclosed a massive breach that included call and text data attached to “nearly all” of its wireless customers.
The rationale for all of those hacks was much clearer: cash.
“The vast majority of this is all about dollars and cents, it’s not about inherently making a statement,” says Collin Walke, an attorney with the firm Hall Estill who specializes in cybersecurity issues. “Sure, on some occasions it may be, and on some occasions maybe it’s national security, but in the vast majority of these instances, it’s dollars.”
In the case of Roku, hackers sold account data for 50 cents apiece, while the Ticketmaster hackers demanded a ransom from the company to delete its customer data. AT&T paid its hackers $370,000 in Bitcoin to delete the data they stole, according to Wired, which spoke to the intermediary that brokered the deal.
“In general, I would say a hacker is going for some type of data,” according to security consultant Tyler Hudak. “Most of the time, the attacker is going to try to monetize the stealing of that data, either through some type of ransom or by trying to auction it off to the highest bidder on the dark net.”
But large media, entertainment and telecom companies may be particularly enticing targets for hackers, multiple experts say.
For starters, companies that are household names make for higher-profile targets. And as entertainment companies push further into direct-to-consumer streaming, they will also be “more likely to have data that somebody is going to be concerned about,” Hudak says.
That may include personal information about streaming customers, credit card numbers or other information.
“It’s certainly going to put a larger target on somebody’s back if they’re a large organization like Disney or AT&T or Ticketmaster,” Hudak adds. “First off, the attackers are going to know that they’re going to have deeper pockets than some small manufacturing firm in the Midwest. The attacker is going to get more credibility, by saying, ‘Oh, I hacked Disney,’ versus some mom-and-pop shop.”
And the value of that data is only going up, thanks to other new technologies that make it easier for attackers to leverage it for nefarious purposes.
“Everybody needs to realize that storage of this data presents huge risks to everyone, because with AI, hackers are now able to assist in that data much quicker and make connections between individuals or embarrassing moments much quicker as well,” Walke says.
And the prodigious proliferation of corporate hacks is helped along by the fact that the cost and skill of doing a large-scale hack has come down considerably since Sony a decade ago. What was once mostly the realm of nation-state actors or large groups can now be accomplished with turnkey, off-the-shelf software available for purchase on the dark web.
For many large companies, that data may even be somewhat out of their control. The Ticketmaster and AT&T breaches were connected to a third-party cloud provider called Snowflake, while the Disney breach seems to have been focused on its accounts from the Salesforce-owned messaging platform Slack. The Google-owned security firm Mandiant says it identified and notified 165 Snowflake clients who had been impacted.
While companies have some ability to limit access, if a third party has a vulnerability, their clients could be at risk.
“So many of these companies like AT&T are using third-party cloud service providers,” Walke says. “These third parties say, ‘We’ll keep your data safe and secure.’ Well, I’m glad you got a piece of paper, but what are you doing to verify it?”
The risks of relying on third parties became even more ironically apparent July 19, when companies that rely on software from the cybersecurity firm CrowdStrike saw their systems melt down after a botched “content update.” Airlines, banks, public agencies, and even broadcasters like NBC and Sky News were impacted.
The number of reported hacks will likely grow over time, not only because it is becoming simpler and more lucrative, but also because new rules from the Securities and Exchange Commission require public companies to disclose “material” cybersecurity incidents.
“As a result, there are a lot of companies that might not have been reporting previously, and now they are reporting because it is something that could rise the level of a material incident,” says Chris Pierson, the CEO of consultancy BlackCloak.
But the big takeaway is that, while the Sony hack a decade ago was shocking and novel, in 2024, in a world where companies all have troves of data, cyber insurance and security consultants, the threat of hacks may just be the new normal.
“I think all these big breaches have shown us that it doesn’t matter how big an organization is, how much money that they can put into their security budget,” Hudak says. “Eventually everybody gets compromised. Planning for that is going to go a long way.”