Like most large corporations, major Hollywood studios are fond of outsourcing.
From coming attraction trailers that are designed to draw audiences into cinemas to eye-popping 3-D visual effects that burst off the screen, studios routinely farm out large chunks of work to vendors around the globe who compete to provide lowest-cost solutions.
And therein lies a big cybersecurity problem, according to experts. Hackers increasingly are targeting these vendors to pilfer movies and TV series prior to their releases. The cyberthieves are betting — correctly in some cases — that lax network security at these vendors will allow easy access to content that they can hold hostage for a ransom.
That was the case with two recent cyberattacks aimed at Walt Disney Co. and Netflix. The streaming company said that the hack of the TV series “Orange Is the New Black” occurred at a production vendor that works with other TV studios. While details of the Disney attack are murky, Chief Executive Bob Iger told employees last week that hackers claimed to have stolen a movie and are threatening to release it in segments until their demands for ransom were met.
The hack involved the new “Pirates of the Caribbean” sequel set for release Friday and occurred at a post-production facility located outside the studio, according to people familiar with the matter who were not authorized to speak about it.
The separate incidents, which are being investigated by federal authorities, have raised fresh jitters in an industry that hasn’t forgotten the 2014 Sony Pictures Entertainment hack that nearly brought the studio to its knees. That attack, which U.S. officials blamed on North Korea, came as Sony was about to release the comedy “The Interview,” about an attempt to assassinate North Korean leader Kim Jong Un.
Hollywood has long been a victim of illegal hacking and piracy. Digital copies of major blockbusters are frequently uploaded via BitTorrent after they’re released in cinemas, and again after they’re released on home video. Last week, the most downloaded movie through BitTorrent was 20th Century Fox’s superhero movie “Logan,” according to a weekly list published by the website TorrentFreak.
But it’s unusual for high-quality versions of full movies to leak before the theatrical release date. Hollywood is that latest industry to be hit by ransomware — a piece of software that blocks access to data until a ransom is paid, usually in a digital currency like BitCoin.
Hackers are “seizing the content and instead of just uploading it, they’re contacting the studios and asking for a ransom. That is a pretty recent phenomenon,” said Dean Marks, who heads the Motion Picture Assn. of America’s content protection division.
The attempts to extort Disney and Netflix come at a time of heightened global awareness of ransomware after the WannaCry attack, which took down systems worldwide. Some researchers have linked the code used in WannaCry with the Sony hack, suggesting a North Korean connection.
Holding information for ransom was the fifth-most common tactic used by hackers to inflict damage on computer systems last year, rising from No. 22 in 2013, according to the Verizon Data Breach Investigations Report, which offers many industry benchmarks. More common attacks include trying to crash a website by overloading it with requests and hacks of online applications with so-called unpatched flaws, which are security holes that haven’t been fixed.
Most attackers targeting technology, media and entertainment companies are financially motivated, the report said.
The Netflix attack was claimed by a hacker known as as the Dark Overlord, which offered its signature "business proposal," as it calls it, to several healthcare and financial firms after claiming access to their confidential files. Episodes from the new season of “Orange Is the New Black” were uploaded after the company refused to pay the ransom. It remains unclear whether Disney has paid the ransom to the hackers who claimed to seize its upcoming summer blockbuster “Pirates of the Caribbean: Dead Men Tell No Tales.” So far, it does not appear that the film has been distributed online.
Experts in cybersecurity say that studios need to better manage the network security of third-party companies, many of which are small firms that don’t have the resources to defend against sophisticated attacks. Those companies often have temporary employees working on individual projects.
The studios “need to have visibility into the info ecosystems of their partners. They need to look at what their partners' networks are like,” said Alexander Heid, chief research officer at Security Scorecard, a New York-based network security firm that rates and monitors third-party vendors.
He said hackers often use phishing techniques to infiltrate systems but are increasingly taking advantage of password re-use — when people use the same password across multiple accounts.
Disney and Netflix declined to comment. Executives at rival studios expressed dismay and anger at the recent hacks.
“It’s scary,” said one studio executive who spoke on condition of anonymity. “It could happen to any one of us.”
Pirates can exact a heavy financial toll. Copyright theft costs the industry hundreds of millions annually in lost revenue. For major blockbusters, an early release can cut more than $15 million from the opening weekend box office, according to industry estimates.
Executives recoiled at the suggestion by some that studios should pay off hackers who hold movies for ransom, saying that will just encourage more criminals to copy the tactic and use bluffing strategies.
There’s little the major studios can do to change that situation in the near term by bringing more of the business in-house, since they are under pressure to keep costs down. Some executives think studios need to find ways to make sure fewer hands touch the material before it gets released in theaters.
More tricky can be preventing the theft of private emails. The Sony hack revealed embarrassing communications between top Sony brass and A-list Hollywood talent. Agencies including United Talent Agency have also been targeted by hackers.
“When that privacy gets violated, it can transform careers and reputations,” said Jordan Arnold, head of private client services at K2 Intelligence, a New York-based cyber defense services firm that caters to wealthy individuals, including Hollywood stars. “It's a dual threat -- to the bottom line and reputation.”
There is little consensus as to what the Hollywood studios can do to prevent hacks targeting third-party vendors.
The MPAA said it conducts security audits of facilities and vendors around the world and reports the results to its studio members. The trade group also publishes industry best practices for cybersecurity. “And that I think is really the best that we can do as a trade association -- is try and get people to up their game,” said Marks, the MPAA’s head of content protection.
But there’s also a “human fallibility element to this. You can put in all the best practices … but if someone gets you to give up your username and password, they're in,” he said.
Experts say studios can partner with cybersecurity firms that specialize in third-party network monitoring.
“There are demands organizations can make on third parties in a contract,” said Dimitri Sirota, CEO of BigID, a U.S.-Israeli cybersecurity firm. These include requirements that all systems receive the latest software patches. Studios can also purchase insurance against damages sustained in a cyberattack.
But, he added, “the best solution for any of this is to try and avoid high-value data moving between too many PCs.”
Times staff writer Richard Winton contributed to this report.