HBO Hack: Insiders Fear Leaked Emails as FBI Joins Investigation
The company is reeling from a sophisticated cyberattack that potentially compromised seven times the amount of data stolen in the Sony hack as the FBI investigates potential culprits.
On July 27, Richard Plepler's worst corporate nightmare unfolded. The HBO CEO learned that his company's network had been breached by an apparently coordinated cyberattack that experts explained could expose a staggering 1.5 terabytes of data. That would be roughly seven times the size of the epic 2014 hack of Sony Pictures.
The attack was sophisticated, insiders tell The Hollywood Reporter, targeting specific content and data housed in different locations, suggesting multiple points of entry. Even more chilling, there was no ransom demand, say sources, leaving the motive in question and raising the specter that video footage, internal documents or even email correspondence could be leaked.
Two days later, HBO sent an alarming email on a Saturday to its 2,500-plus employees, notifying them that the company had been hit, followed by a second email warning staff not to open suspicious emails. On July 30, hackers going by the name of little.finger66 boasted to the media about pulling off "the greatest leak of cyber space era" [sic]. As a teaser, they provided a link to a script for an Aug. 6 episode of Game of Thrones and promised much more. At the same time, unaired episodes of Ballers and Room 104 began surfacing online.
To put in context the 1.5 terabytes — or 1,500 gigabytes — claim, in the Sony case, about 200 gigabytes of data was released online, a damaging deluge that brought the studio to its knees and led to the ouster of then co-chair Amy Pascal. "A traditional business-grade DSL link would take about two weeks at full blast to exfiltrate that much data," says Farsight Security CEO Paul Vixie, noting that a finished Blu-ray is about 30 gigabytes. "If not for video and sound, a corporation the size of HBO might fit [entirely] in a terabyte, including all the email and spreadsheets ever written or stored."
Adds Ajay Arora, CEO of security firm Vera, "The entire Library of Congress is estimated to contain 10 terabytes of print content. As such, it's hard to believe that video and/or audio are not part of what was stolen. It will be interesting — and terrifying to HBO and their parent, Time Warner — to see what comes out."
Sources say HBO is working with the FBI and cybersecurity firm Mandiant, which led the forensic investigation on the Sony hack (ironically, Mandiant also was targeted by hackers around the same time as the HBO breach). The FBI and Mandiant declined comment, and HBO wouldn't elaborate beyond a statement acknowledging the hack.
At press time, it was unclear what exactly the HBO attackers had taken, even to those investigating. In a July 31 email to staff, Plepler characterized the stolen items as "proprietary information, including some of our programming." Insiders say hackers pilfered a combination of media-rich data and text. Though full or partial episodes of Game of Thrones — the crown jewel of the HBO lineup — would be problematic, it's the prospect of stolen text that is far more alarming.
"At 1.5 terabytes, it could be a whole block of TV, or worse, it could be emails, financial documents, employee or customer information," says Erik Rasmussen, a former deputy prosecuting attorney and special agent with the Secret Service who now works at the cybersecurity firm Kroll. "The fact that you have law enforcement and a [cybersecurity] firm involved most likely means this will be a very large incident for HBO."
Hollywood has been under siege from cyber criminals. In the past year, at least six studios and talent agencies have been hit with extortion attempts, including Netflix, UTA and WME-IMG. Netflix balked at ransom demands, and the collective known as TheDarkOverlord released 10 episodes of Orange Is the New Black ahead of its June debut.
Privately, security experts say the HBO hack appears to be far more vicious. One insider calls it "nefarious" because it was targeted to specific content and data (as with Sony) and not simply a trawling sweep (as was the case with the Orange Is the New Black heist).
And the HBO hack comes at a delicate time for Time Warner. In October, AT&T agreed to buy the company for $85 billion. It's no secret that HBO is the star performer of the portfolio, so a sprawling hack could impact the ultimate sale price.
"It's fair to draw parallels to the Yahoo hack in this case," says Hemanshu Nigam, a former federal prosecutor of online crime and onetime chief security officer of News Corp. In that case, at least 500 million customer accounts were compromised, leading Verizon to extract a $350 million discount in its $4.5 billion purchase of the online giant.
HBO is taking a proactive approach. Plepler called for employees to be notified even before news of the hack broke. "It was one of the best examples of how to react to a crisis and communicate to your employees," says Nigam. "I've never seen it happen this fast." (With Sony, it took then-chairman Michael Lynton 12 days to email employees about the status, but that’s because there was no clarity about the nature of the attack until then, and the studio was in largely unchartered waters at the time.)
Still, the scope of the breach has many in Hollywood once again holding their collective breath. Says Rasmussen, "The question now is what do they have, who did this, and what was the motive?"
A version of this story first appeared in the Aug. 2 issue of The Hollywood Reporter magazine. To receive the magazine, click here to subscribe.