Game of Pwns: Breach Notices Suggest Few Victims in HBO Hack
Statements mailed to state attorneys general suggest the breach - which saw episodes of Game of Thrones released early - affected a small number of people, not HBO’s millions of subscribers.
We’ve known since July that TV entertainment giant HBO was hacked. But four months later, we still know little about the circumstances of the attack, what kind of data was stolen in the hack or how many individuals were affected by it.
But that is slowly starting to change as HBO has begun notifying state attorneys general about the incident in states whose citizens were affected by it. And, from what HBO has disclosed, it seems as if the incident affected the company’s corporate network and a relatively small number of individuals - likely HBO employees.
In recent days, HBO has disclosed some details of the July 26, 2017 incident in letters to a handful of states. Those letters were sent to comply with state level data breach notification laws, which require notice when any citizens of the state had personally identifiable information exposed by a private entity. They give us our best look, yet, into what happened.
For example, a letter (PDF) sent to New Hampshire Attorney General Gordon MacDonald dated October 30 said that just 10 residents of that state were affected. Those individuals’ Social Security Numbers were the only regulated data exposed in the hack, HBO said. In Wisconsin, the number of affected residents was three, according to this report.
For a company with 130 million subscribers worldwide, 10 people in New Hampshire and three in Wisconsin suggest that the hack - whatever damage it did cause - did not extend to HBO’s subscriber data.
Indeed, a description of the hack suggests that it targeted HBO’s corporate network rather than any public facing applications or assets. In the letter to the New Hampshire AG HBO said an investigation by the security firm Mandiant found that “the attacker had unauthorized access for a limited period of time to certain portions of the Company's corporate information technology network.” The personal information was exposed during that time - we may presume - belongs to HBO employees or contractors rather than its tens of millions of customers.
The other outcome of the incident is better known: hackers stole much anticipated episodes of Game of Thrones, Ballers and Room 104 and made demands for ransom payments from the company in exchange for promises to not release the programs early. Ultimately, many of those episodes were leaked however.
The hack was part of a spate of attacks on entertainment industry firms and their suppliers over the last year. A Los Angeles based audio post production firm, Larson Studios, was hacked last Christmas by a group calling itself The Dark Overlord; the group stole dozens of series belonging to leading Hollywood studios and held them for ransom.
The bigger problem is, of course, with the United States bumbling efforts to regulate the handling of personal data and inadequate data protection laws. Again: we only know about the impact on individuals because of state level breach disclosure laws in states like New Hampshire, Wisconsin and so on. But those laws are all over the map, making a complete account of the impact of the HBO breach difficult. In essence: to understand how many US residents were affected, you would have to dig around on the web sites of the 48 US states and territories with breach disclosure laws, find or request the disclosure notice and keep a running tally - hardly efficient, especially when not all states make a habit of publishing disclosure notices for the public to review.
And we don’t really understand what the financial impact of the breach was on HBO. The media company is just one division of Time Warner, a massive media conglomerate. Public companies are only required to disclose breaches and their impact when they materially affect the company. But in an organization as huge as Time Warner, even a serious breach might not rise to the level of being a material breach. No surprise then, that Time Warner’s latest quarterly statement makes no mention of the HBO hack.
This isn’t about schadenfreude. When large corporations keep quiet about the details of cyber security incidents and hacks, or leave it for the public to guess, everyone is hurt. The individuals involved are left exposed while the organization that lost control of their information is deciding how much to disclose and when. Other companies that might be targeted by the same actors are also left unaware. It also prevents the good guys from learning from past mistakes or adjusting their estimates of risk based on crimes that are actually taking place.
We’ve long relied on crime data and crime reporting by businesses and private citizens to keep our communities safe. It is long past time we started applying the same rules to the Internet, as well.