HBO's Hacked Emails Pose Unique Problem
With the leak of pilfered messages by hackers, the network has fewer tools to fight the spread of data.
On Aug. 7, the HBO data breach took a troubling turn as hackers released the emails of a network executive in what they dubbed a second wave of dumps.
To that point, HBO had kept the leaks contained by deploying an army of bots, automated programs that search the internet to identify and pull down leaked content as fast as it's uploaded. But with the introduction of pilfered emails, the network has fewer options to fight the spread.
“There are a lot of tools now to rapidly respond when something that violates copyright law pops up on the internet thanks to the Digital Millennium Copyright Act,” says Nathaniel Gleicher, former director of cybersecurity policy for the Obama White House and ex-senior counsel for the U.S. Department of Justice’s computer crimes division. “With emails, it’s not exactly clear.”
With the first wave of dumps, HBO was able to play a game of whack-a-mole as unaired episodes of Ballers and Room 104 spread on the internet. But emails do not qualify as copyrighted material. HBO could still file a DMCA takedown with sites hosting stolen emails, but the whack-a-mole effort becomes exponentially more difficult because unlike video, which takes a long time to upload, emails are small and upload quickly, making them easy to spread.
An HBO spokesperson, in a statement to The Hollywood Reporter, wrote: "HBO believed that further leaks might emerge from this cyber incident when we confirmed it last week. As we said, the forensic review is ongoing. While it has been reported that a number of emails have been made public, the review to date has not given us a reason to believe that our email system as a whole has been compromised."
The spokesperson added: "We continue to work around the clock with outside cybersecurity firms and law enforcement to resolve the incident. Meanwhile, our dedicated employees continue to focus on delivering the high quality of entertainment and service for which we are known."
Though the hackers have released emails from only one employee to date covering a 30-day period, they claim to have far more. Whether or not they do is unclear. And that leaves HBO CEO Richard Plepler in a pay-or-pray situation.
"HBO will never know the totality of the breach," says Ross Rustici, senior director of intelligence services at Cybereason. "Without knowing the totality of the breach, HBO executives will have to make a decision about how valuable the claimed information is to them — both from an actual investment perspective and a brand-damage perspective — without having any real confidence in the data that is missing."
A version of this story first appeared in the Aug. 9 issue of The Hollywood Reporter magazine. To receive the magazine, click here to subscribe.