Adobe Stock/Getty Images
Ten years ago, a group of hackers calling themselves The Guardians of Peace released a trove of internal communications and data from Sony Pictures. Their demand? That Sony cancel upcoming movies. interviewThe film stars Seth Rogen and James Franco as journalists attempting to interview Kim Jong Un.
What happened next International stories The embarrassing communications ultimately led to the resignation of several Sony executives.
Earlier this month, the hacktivist group NullBulge, which said it was choosing its targets to “protect the rights of artists and ensure fair compensation for their work,” leaked a terabyte of data from Walt Disney Co., including internal Slack channel communications, images, logins, and other data.
“Have fun sifting,” the group told website visitors.
To be sure, the Disney hack of 2024 is different from the Sony hack of 2014. The Sony hackers seem to have had a very specific goal (shelving a controversial film), while the Disney hackers seem to have had more fanciful motivations (antipathy toward AI-generated art, for example).
But in many ways, this new hack is symbolic of a worrying, growing trend that has hit many companies in the media and entertainment industry.
In the past few months alone, Roku suffered a data breach affecting hundreds of thousands of user accounts, Ticketmaster owner Live Nation revealed that a group of hackers had obtained data from more than 500 million customers, and in early July, AT&T revealed a massive data breach that included call and text data for “nearly all” wireless users.
The rationale behind all these hacks was much clearer: cash.
“Most of these things are about money, not about making a statement, essentially,” said Collin Walk, an attorney at Hall Estill, a law firm that specializes in cybersecurity issues. “Obviously, in some cases that may be the case, and in some cases it’s for national security reasons, but the vast majority of these cases are about money.”
In the case of Roku, hackers sold account data for 50 cents each, while Ticketmaster hackers demanded a ransom from the company to delete customer data. AT&T paid the hackers $370,000 in Bitcoin to delete the data they had stolen. according to Wiredspoke to the middleman who brokered the deal.
“Generally speaking, it’s safe to say that hackers are after some kind of data,” says security consultant Tyler Hudak. “Most of the time, the attackers will try to monetize the stolen data by demanding some kind of ransom or auctioning it to the highest bidder on the dark net.”
But experts say large media, entertainment and telecommunications companies could be particularly attractive targets for hackers.
For one, well-known companies make for high-profile targets, and as entertainment companies push further into direct-to-consumer distribution, “there’s an increased likelihood that someone has data that’s of concern,” Hudak said.
This may include personal information, credit card numbers, and other information about streaming customers.
“Any large company like Disney, AT&T, or Ticketmaster would definitely be a bigger target,” Hudak adds. “First, attackers would know they have more resources than a small manufacturing company in the Midwest. Saying ‘we hacked Disney’ gives them more credibility than a mom-and-pop store.”
And that data is only going to become more valuable thanks to other new technologies that make it easier for attackers to use it for malicious purposes.
“Everyone needs to be aware that storing this data carries great risks for everyone, because AI allows hackers to access it more quickly and to link it to individuals and embarrassing moments more quickly,” Walk said.
The surge in corporate hacks comes as the cost and skill required to carry out a major hack has plummeted since Sony a decade ago. What was once the preserve of nation-states or large groups can now be carried out with ready-to-use software that can be purchased on the dark web.
For many large companies, that data may be, to some extent, outside of their own control: The Ticketmaster and AT&T breaches were linked to a third-party cloud provider called Snowflake, while the Disney breach appears to have been centered on accounts at Slack, the Salesforce-owned messaging platform. Google-owned security firm Mandiant said it had identified and notified 165 affected Snowflake customers.
While companies have some ability to restrict access, third parties with vulnerabilities could put their customers at risk.
“A lot of companies like AT&T use third-party cloud service providers,” Walke says. “These third parties say, ‘We’re going to keep your data safe.’ Sure, it’s nice to have the paperwork, but what are you doing to verify it?”
Ironically, the risks of relying on third parties were made even more evident on July 19th, when businesses relying on software from cybersecurity firm CrowdStrike experienced outages after a botched “content update.” Airlines, banks, public organizations and even broadcasters such as NBC and Sky News were affected.
The number of reported hacks is likely to increase over time not only as hacking becomes simpler and more lucrative, but also as new Securities and Exchange Commission rules require public companies to disclose “significant” cybersecurity incidents.
“The result is that many businesses who may not have reported before are now doing so because they believe it could be elevated to the level of a major incident,” said Chris Pearson, CEO of consultancy Blackcloak.
But the key lesson is that while the Sony hack 10 years ago was shocking and novel, in 2024, in a world where every company has mountains of data, cyber insurance, and security consultants, the threat of hacking may be the new normal.
“I think these massive breaches show that it doesn’t matter the size of your organization or how much money you can put into your security budget,” Hudak says. “Everyone will eventually be breached, so having a plan for that becomes really important.”
