Adobe Stock/Getty Images
Ten years ago, a group of hackers calling themselves “The Guardians of Peace” released a trove of internal communications and data from Sony Pictures. Their demand? That Sony pull an upcoming film, The interviewin which Seth Rogen and James Franco played journalists trying to get an interview with Kim Jong-Un.
What followed became an international story and led to the departure of some Sony executives due to the embarrassing content of their communications.
Earlier this month, hacktivist group NullBulge, which says it chooses its targets based on “protecting artists’ rights and ensuring fair compensation for their work,” leaked a terabyte of data from The Walt Disney Co., including communications from internal Slack channels, images, credentials and other data.
“Have fun browsing through it,” the group told visitors to its website.
Of course, the Disney hack in 2024 is not the Sony hack in 2014. While Sony’s hackers seem to have had a very specific goal (to shelve a controversial film), Disney’s hackers seem to have more fanciful motivations (an antipathy toward art generated by artificial intelligence, for example).
But in many ways, this new hack is emblematic of a worrying and growing trend that has affected many companies in the media and entertainment sector.
In recent months, Roku suffered a security breach that affected hundreds of thousands of user accounts, and Ticketmaster owner Live Nation revealed that a hacking group had obtained the data of more than 500 million of its customers. In early July, AT&T disclosed a massive security breach that included call and text message data linked to “nearly all” of its wireless customers.
The reason for all these hacks was much clearer: money.
“In the vast majority of cases, it’s about money and money, it’s not about making a statement,” said Collin Walke, a lawyer with the law firm Hall Estill, who specializes in cybersecurity issues. “Sure, in some cases it might be, and in others it might be about national security, but in the vast majority of cases it’s about money.”
In Roku’s case, hackers sold account data for 50 cents each, while Ticketmaster hackers demanded a ransom from the company to delete its customer data. AT&T paid its hackers $370,000 in Bitcoin to delete the data they stole, according to Cablewho spoke with the intermediary who negotiated the agreement.
“Typically, I would say that an attacker is looking to get some type of data,” says security consultant Tyler Hudak. “Most of the time, the attacker will try to monetize the theft of that data, either by demanding a ransom or by trying to auction it off to the highest bidder on the dark web.”
But large media, entertainment and telecommunications companies can be particularly attractive targets for hackers, many experts say.
For starters, high-profile companies are increasingly visible targets. And as entertainment companies move into direct-to-consumer streaming, they’ll also be “more likely to have data that someone might be concerned about,” Hudak says.
This may include personal information about streaming customers, credit card numbers or other information.
“It’s certainly going to put a bigger target on someone if it’s a big company like Disney or AT&T or Ticketmaster,” Hudak adds. “First of all, the attackers are going to know that they have deeper pockets than a small industrial company in the Midwest. The attacker is going to gain credibility by saying, ‘Oh, I hacked Disney,’ rather than a small mom-and-pop business.”
And the value of that data is only increasing, thanks to other new technologies that make it easier for attackers to exploit it for malicious purposes.
“Everyone needs to understand that storing this data poses huge risks to everyone because with AI, hackers are now able to access this data much faster and make connections between individuals or embarrassing moments much faster as well,” Walke says.
The prodigious proliferation of corporate hacks is facilitated by the fact that the cost and skills required to carry out a large-scale hack have fallen dramatically since the Sony incident a decade ago. What was once the preserve of state actors or large corporations can now be accomplished with off-the-shelf software available for purchase on the dark web.
For many large companies, this data may even be out of their control. The Ticketmaster and AT&T security breaches were linked to a third-party cloud provider called Snowflake, while the Disney breach appears to have centered on its accounts on Salesforce’s Slack messaging platform. Google-owned security firm Mandiant says it has identified and notified 165 Snowflake customers who were affected.
While companies have some ability to limit access, if a third party presents a vulnerability, their customers could be at risk.
“A lot of companies like AT&T use third-party cloud service providers,” Walke says. “These third parties say, ‘We’ll keep your data secure.’ I’m glad you have a piece of paper, but what do you do to verify it?”
The risks of relying on third parties became even more evident on July 19, when companies that rely on software from cybersecurity firm CrowdStrike saw their systems collapse after a botched “content update.” Airlines, banks, government agencies and even broadcasters like NBC and Sky News were affected.
The number of reported hacks will likely increase over time, not only because such operations become easier and more lucrative, but also because new Securities and Exchange Commission rules require public companies to disclose “material” cybersecurity incidents.
“As a result, many companies that might not have previously disclosed information are now doing so because it can elevate the level of a significant incident,” said Chris Pierson, CEO of consultancy BlackCloak.
But the main lesson is that while the Sony hack a decade ago was shocking and unprecedented, in 2024, in a world where companies all have data resources, cyber insurance and security consultants, the threat of hacking may well become the new normal.
“I think all of these large breaches have shown us that it doesn’t matter how big an organization is, it doesn’t matter how much they can invest in their security budget,” Hudak says. “Everyone is going to be compromised eventually. It’s important to be prepared for those kinds of situations.”