×
You will be redirected back to your article in seconds

Sony Hack, One Year Later: Is Hollywood Prepared for the Next Attack?

A botched movie premiere. The leak of more than 170,000 emails and 30,000 internal documents. The resignation of a senior executive. Pirated recordings of at least three major motion pictures. The disclosure of 47,000 social security numbers, resulting in a multimillion dollar settlement. The Sony Pictures hack a year ago this month was Hollywood’s worst cybersecurity breach on record.

But did it change how the industry is approaching security? Are the studios doing enough to prevent the next hack attack? Or is it just a question of time before we will see another incident of this magnitude?

One fact is indisputable: The Sony hack has gotten everyone in the industry thinking about security. “It was a wakeup call,” says Bryan Ellenburg, who works as a security consultant for the Content Delivery & Security Assn., a trade association that performs security audits for major studios and their vendors. Ellenburg still remembers his phone ringing nonstop for weeks after the hack. “A lot of people were really freaking out at every level,” he says.

The fact that other industries had major breaches of their own contributed to the sense of panic. Hackers were able to obtain 56 million credit card numbers from Home Depot just two months prior to the Sony breach, and close to 80 million people had their data accessed when health insurance giant Anthem was the target of a hack earlier this year.

Gary Neill for Variety

Major incidents like these have led to a shift in attitudes toward security in the entertainment industry, argues Mark Lobel, principal at PwC. “It has gotten senior executives’ attention,” he says, adding: “We have seen the landscape changing.”

Wynn Rees, VP of content security at 20th Century Fox, agrees that after Sony, it has become a lot easier to explain the importance of security issues to upper management. “The Sony hack has helped us to remain vigilant,” he adds. (A Sony spokesperson declined to comment when contacted for this story.)

Rees allows that Fox has had its own set of scares. In one incident, employees became victims of a phishing attack — an email meant to look like a legitimate request from a colleague or an industry connection, only to lead to a rogue website that siphons off personal data, gathers information about a company network, or aims to trick users into downloading malicious code.

The email in question is now part of the studio’s regular security training for employees, which is meant to prevent future attacks. “You have to make people paranoid,” Rees says. “Phishing is very dangerous.”

Schooling employees about security should still be Hollywood’s No. 1 priority, Lobel says. In today’s world, that has to include not just email, but also social media. People post photos of their favorite food on Instagram, tell their Twitter followers of their current location, and let the world on Facebook know about their friends and family, he adds. That’s especially true for Hollywood, where everyone networks and draws attention to themselves.

“You almost can’t trust anybody in this day and age. It’s a real problem.”
Wynn Rees

But living a life in the public eye can also provide ammunition for “social engineering,” which is what security experts call the act of tricking people into revealing information that can subsequently be used to access secure networks. “We have seen nation-states do this again and again,” Lobel says.

At the same time, studios have to find a balance between their security and the needs of their employees, Ellenburg notes. Giving every employee a new mobile device that’s securely managed isn’t cheap. “You have to have a degree of trust,” he says. Adds Rees: “We are in the 21st century. People have their own devices, and they are going to work on these devices.”

Cloud services, too, exist in a space that Hollywood long has been wary of. Using the cloud could theoretically improve security by forcing standardization, Lobel says. But it also comes with strings attached: “The reality is that you’ve got a lot more things to monitor,”  he adds.

Moreover, studios don’t like that they can’t test the security of cloud vendors in the same way they can their own servers, and they’re wary of a lack of transparency. But in the end, Hollywood is just like any other industry, and at least a partial move to the cloud is inevitable, if only for the fact that production is increasingly global. Says Rees: “It’s about finding a manageable compromise between security and business imperative.”

The global nature of the movie business comes with another set of challenges: Facilities and vendors are increasingly spread around the world. “You do a film in New Orleans, you have a visual effects company in Prague, you do audio in Vancouver,” Ellenburg explains. Not only does this mean that video files and other material are being sent around the globe all the time, it also adds many facilities and local networks to the mix — and these targets outside the studio lots are often the weakest links. “Vendors have been exploited,” Rees says. “You almost can’t trust anybody in this day and age. It’s a real problem.”

Ellenburg’s trade group routinely audits these kinds of facilities all over the world. During those audits, he’s seen some things that raise eyebrows, like editing workstations that were constantly connected to the open Internet, so that film editors could check emails during their break. But he has also seen vendors go the other direction, and make security part of their facilities from the ground up.

His biggest concern is that many production companies leave security up to junior employees with little training, when they should really have a dedicated security adviser on set. But that would come at a price. “The struggle is: who pays for it?” Ellenburg posits. Studios want production companies and other vendors to improve security, but don’t want to foot the bill for it, he notes.

Wendy Frank, who joined PwC last month as a partner specializing in cybersecurity and privacy, and previously served as the chief security officer of the MPAA, allows that businesses see security as an additional expense, but maintains its overriding importance. “It needs to happen regardless,” she says.

That’s because the other side isn’t waiting around to strike. In the past, hackers focused their most malicious attacks on the financial industry and government institutions. “Now, there are a lot of targeted attacks in this industry,” Frank says. Rees notes that Fox’s security team registers and thwarts a number of attempted intrusions daily.

Ellenburg contends it’s important to not just build up firewalls around a system, but also to invest in tracking what’s happening inside a company, to know who has accessed which files from where. “Every action should be logged to be reviewed,” he says. Because in the end, the question isn’t really whether another major hack will occur, but when.

That may be the main lesson from Sony: There’s no such thing as perfect security. “People make mistakes,” Ellenburg says. “It can happen to anyone.”

More Biz

  • Tan FranceUnforgettable Gala, Inside, Los Angeles,

    'Queer Eye' Star Tan France to Host Audiobook Audie Awards

    “Queer Eye” resident style expert Tan France is taking on a slightly different project next month as he hosts the Audie Awards, which honors the best releases and achievements in audiobooks over the past 12 months. The ceremony, which takes place on March 4 in New York, is an annual event organized by the Audio [...]

  • Obit Obituary Placeholder

    Shelly Saltman, Former Fox Sports President and Promoter, Dies at 87

    Sheldon “Shelly” Saltman, the sports promoter behind the Billie Jean King vs. Bobby Riggs tennis match and Evel Knievel’s Snake River Canyon jump, died Saturday in Los Angeles. He was 87. The original president of Fox Sports, Saltman started his career as a sports announcer before moving to promotions at media companies like the Gillette Cavalcade [...]

  • Arista Records, Mogul Vision Launch Joint

    Arista Records, Mogul Vision Launch Joint Venture

    Arista Records and Smokepurpp/ Lil Mosey manager Josh Marshall today announced the launch of Mogul Vision Music, a new joint venture label focused on “breaking extraordinary talent and building artist careers through innovative A&R, branding and marketing strategy,” according to the announcement. Based in New York with Marshall (pictured above left, with Massey) as its CEO, the [...]

  • Jussie Smollett

    Jussie Smollett Faces Prison, Career Ruin if He Lied About Attack

    Jussie Smollett is facing prison time and the implosion of his career if it turns out he lied about being the target of a hate crime, legal and public relations experts say. “The best thing that Jussie can do is pray and pray a lot,” said Ronn Torossian, founder of 5W Public Relations. “If he [...]

  • Gerrit Meier Variety Strictly Business Podcast

    Listen: Red Bull Practically Invented Branded Entertainment. What's Next?

    With memorable moves like sponsoring Felix Baumgartner’s jump from outer space in 2012 to achieve the world’s farthest ever-parachute drop, Red Bull has been a pioneering force in branded entertainment. While known best for its line of energy drinks, the beverage maker has eschewed traditional marketing for content that blurred the boundaries between advertising and [...]

  • Martin Bandier to Be Honored at

    Martin Bandier to Be Honored at Songwriters Hall of Fame Ceremony

    Martin Bandier, outgoing chairman and CEO of Sony/ATV Music Publishing, will be awarded the Visionary Leadership Award at the 50 th Annual Songwriters Hall of Fame Induction and Awards Dinner. The ceremony will take place on Thursday, June 13 at the Marriott Marquis Hotel in New York City. According to the announcement, the Visionary Leadership Award “acknowledges a member of the Songwriters Hall of Fame Board [...]

  • Hong Kong Disneyland Remains in the

    Hong Kong Disneyland Remains in the Red but Reduces Losses

    The Hong Kong Disneyland Resort theme park remained in the red for the fourth straight year, but there are signs of improvement. For the financial year to end-September 2018, HKDL reported $769 million (HK$6 billion) of revenue from 6.7 million visitors, an increase of 8%. Net losses fell from $32 million (HK$291 million) to $6.92 [...]

More From Our Brands

Access exclusive content