HBO Hack: How Did They Let It Happen?

At HBO, many people are probably ondering if they’ll have jobs at the end of the month, because it is doubtful the HBO board or executive staff is in much of a forgiving mood given the coverage.

When I read that hackers had taken over a terabyte of movies and other files from HBO,putting one of its most valuable properties, Game of Thrones, at risk, I wondered: How do you not notice that suddenly over a terabyte of data connected to highly confidential properties is being siphoned out of a company? Given the commentary from the hackers, I’d bet money that this will eventually be traced to some summer intern (at least that’s where I’d start). After the Sony hack, firms like HBO were all supposed to put in file access controls and monitors like Varonis, put in aggressive network monitoring capability, and make sure that physical storage media isn’t making it in and out of sites (granted, with SSD cards starting to get to terabyte capacity, this last is getting more difficult).

At HBO, many people are probably wondering if they’ll have jobs at the end of the month, because it is doubtful the HBO board or executive staff is in much of a forgiving mood given the coverage.

Recalling the Sony Hack

Recall that the fallout of the Sony hack was the inability to release a movie, a CEO who had to step down, and a lot of relationship-damaging email getting out. This last created huge ongoing problems not only for the studio but for anyone who wrote one of those highly personal and embarrassing emails. In effect, the hack, allegedly done by North Korea, created the opportunity to blackmail many Sony executives and successfully blackmail the company in general. As a result, the true cost to the firm was likely billions more than anything that was reported because those emails probably uncovered internal affairs, illicit use of company property, improper expenses, and pictures folks don’t want to see on the news. Not everything that was taken was probably ever released, but sits out there, either generating cash for those who took it, or keeping the folks who created it from sleeping soundly at night.

Email Lessons

One lesson we should learn is that if you don’t want it in the news, don’t put it in email. I used to do email audits and it still amazes me what people put in email. An impressive amount of it would get people fired, damage important relationships (including leading to divorce), and potentially end careers. We’ve seen some incredible foolishness on Twitter and other social networks that end careers but these things likely don’t hold a candle to what many who laugh at the social media mistakes put in email.

Email is not a secure mode of communications. It does create a document trail, your employer (and auditors) can look at it without telling you, and if you read the fine print from email providers and carriers, they pretty much have unfettered rights to anything you put in it.

So, if you don’t want your kids to see it, if you don’t want your pastor to see it, if you don’t want your spouse to see it, and if you don’t want it in your personnel file, don’t put it in email. Then if someone hacks into your email repository, you don’t have to suddenly start working on your resume or think about changing your Facebook status to suddenly single.

Crisis Management

Every firm should have a crisis management team that is ready to step in if there is a crisis. We have state-level hackers now, suggesting that if you are a major brand or have anything a foreign state wants, you are going to get hacked. Regulated industries like health care are going to get hacked, ransomware will make it into the firm and do damage, and someone will do something stupid and files will be stolen. This is on top of the typical list of idiotic things top executives get caught doing in public and large-scale product or service failures.

The faster an experienced team can step in and take control of the news cycle, the less likely it will spin out of control and do even more damage than the original crisis did.

Wrapping Up: Learn from HBO

This stuff generally happens because someone who owns the security budget thinks a major theft won’t happen. This should be a reminder that it will and given the amount of black hat activity now, you can almost be certain it will happen to your shop. On top of the obvious security protections, particularly including an access control product (I still think the HBO breach was likely an intern), you need tight email policies and reminders, and a crisis management team.

Sony should have taken far more precautions. But for HBO, this breach is even more embarrassing because it was clearly warned. For us, like Game of Thrones, winter isn’t coming, it is already here.

Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm.  With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM.