You will be redirected back to your article in seconds

Sony Hack, One Year Later: Is Hollywood Prepared for the Next Attack?

A botched movie premiere. The leak of more than 170,000 emails and 30,000 internal documents. The resignation of a senior executive. Pirated recordings of at least three major motion pictures. The disclosure of 47,000 social security numbers, resulting in a multimillion dollar settlement. The Sony Pictures hack a year ago this month was Hollywood’s worst cybersecurity breach on record.

But did it change how the industry is approaching security? Are the studios doing enough to prevent the next hack attack? Or is it just a question of time before we will see another incident of this magnitude?

One fact is indisputable: The Sony hack has gotten everyone in the industry thinking about security. “It was a wakeup call,” says Bryan Ellenburg, who works as a security consultant for the Content Delivery & Security Assn., a trade association that performs security audits for major studios and their vendors. Ellenburg still remembers his phone ringing nonstop for weeks after the hack. “A lot of people were really freaking out at every level,” he says.

The fact that other industries had major breaches of their own contributed to the sense of panic. Hackers were able to obtain 56 million credit card numbers from Home Depot just two months prior to the Sony breach, and close to 80 million people had their data accessed when health insurance giant Anthem was the target of a hack earlier this year.

Gary Neill for Variety

Major incidents like these have led to a shift in attitudes toward security in the entertainment industry, argues Mark Lobel, principal at PwC. “It has gotten senior executives’ attention,” he says, adding: “We have seen the landscape changing.”

Wynn Rees, VP of content security at 20th Century Fox, agrees that after Sony, it has become a lot easier to explain the importance of security issues to upper management. “The Sony hack has helped us to remain vigilant,” he adds. (A Sony spokesperson declined to comment when contacted for this story.)

Rees allows that Fox has had its own set of scares. In one incident, employees became victims of a phishing attack — an email meant to look like a legitimate request from a colleague or an industry connection, only to lead to a rogue website that siphons off personal data, gathers information about a company network, or aims to trick users into downloading malicious code.

The email in question is now part of the studio’s regular security training for employees, which is meant to prevent future attacks. “You have to make people paranoid,” Rees says. “Phishing is very dangerous.”

Schooling employees about security should still be Hollywood’s No. 1 priority, Lobel says. In today’s world, that has to include not just email, but also social media. People post photos of their favorite food on Instagram, tell their Twitter followers of their current location, and let the world on Facebook know about their friends and family, he adds. That’s especially true for Hollywood, where everyone networks and draws attention to themselves.

“You almost can’t trust anybody in this day and age. It’s a real problem.”
Wynn Rees

But living a life in the public eye can also provide ammunition for “social engineering,” which is what security experts call the act of tricking people into revealing information that can subsequently be used to access secure networks. “We have seen nation-states do this again and again,” Lobel says.

At the same time, studios have to find a balance between their security and the needs of their employees, Ellenburg notes. Giving every employee a new mobile device that’s securely managed isn’t cheap. “You have to have a degree of trust,” he says. Adds Rees: “We are in the 21st century. People have their own devices, and they are going to work on these devices.”

Cloud services, too, exist in a space that Hollywood long has been wary of. Using the cloud could theoretically improve security by forcing standardization, Lobel says. But it also comes with strings attached: “The reality is that you’ve got a lot more things to monitor,”  he adds.

Moreover, studios don’t like that they can’t test the security of cloud vendors in the same way they can their own servers, and they’re wary of a lack of transparency. But in the end, Hollywood is just like any other industry, and at least a partial move to the cloud is inevitable, if only for the fact that production is increasingly global. Says Rees: “It’s about finding a manageable compromise between security and business imperative.”

The global nature of the movie business comes with another set of challenges: Facilities and vendors are increasingly spread around the world. “You do a film in New Orleans, you have a visual effects company in Prague, you do audio in Vancouver,” Ellenburg explains. Not only does this mean that video files and other material are being sent around the globe all the time, it also adds many facilities and local networks to the mix — and these targets outside the studio lots are often the weakest links. “Vendors have been exploited,” Rees says. “You almost can’t trust anybody in this day and age. It’s a real problem.”

Ellenburg’s trade group routinely audits these kinds of facilities all over the world. During those audits, he’s seen some things that raise eyebrows, like editing workstations that were constantly connected to the open Internet, so that film editors could check emails during their break. But he has also seen vendors go the other direction, and make security part of their facilities from the ground up.

His biggest concern is that many production companies leave security up to junior employees with little training, when they should really have a dedicated security adviser on set. But that would come at a price. “The struggle is: who pays for it?” Ellenburg posits. Studios want production companies and other vendors to improve security, but don’t want to foot the bill for it, he notes.

Wendy Frank, who joined PwC last month as a partner specializing in cybersecurity and privacy, and previously served as the chief security officer of the MPAA, allows that businesses see security as an additional expense, but maintains its overriding importance. “It needs to happen regardless,” she says.

That’s because the other side isn’t waiting around to strike. In the past, hackers focused their most malicious attacks on the financial industry and government institutions. “Now, there are a lot of targeted attacks in this industry,” Frank says. Rees notes that Fox’s security team registers and thwarts a number of attempted intrusions daily.

Ellenburg contends it’s important to not just build up firewalls around a system, but also to invest in tracking what’s happening inside a company, to know who has accessed which files from where. “Every action should be logged to be reviewed,” he says. Because in the end, the question isn’t really whether another major hack will occur, but when.

That may be the main lesson from Sony: There’s no such thing as perfect security. “People make mistakes,” Ellenburg says. “It can happen to anyone.”

More Biz

  • Despacito Luis Fonsi Daddy Yankee

    'Despacito' Tops Vevo's Most-Watched Videos of the Past Decade Chart

    In celebration of its 10-year anniversary, Vevo today announced its Top 10 lists of the decade’s most-watched music videos. Not surprisingly, the Most-Watched Music Video accolade goes to Luis Fonsi’s “Despacito” (featuring Daddy Yankee), with 6.4 billion views since its release in early 2017. The second most-viewed video is Mark Ronson’s “Uptown Funk” (featuring Bruno [...]

  • MoviePass card

    MoviePass Accused of Contract Breach by Oasis Ventures

    Oasis Ventures Entertainment, a Dubai-based investment fund, sued MoviePass on Monday, alleging that the loyalty-card company stole film titles to create its film unit. Oasis has had a joint venture with action movie producers Randall Emmett and George Furla since 2013. In 2018, Emmett Furla Oasis went into business with Helios and Matheson Analytics, the [...]

  • The Laundromat Netflix

    'Panama Papers' Attorneys Sue Netflix to Block Release of 'The Laundromat'

    The lawyers at the heart of the “Panama Papers” scandal have filed a federal suit seeking to block Netflix from releasing “The Laundromat,” the Steven Soderbergh film that stars Meryl Streep. Jurgen Mossack and Ramon Fonseca, the principals of Mossack Fonseca, allege that the film defames them and uses their firm’s logo without authorization. In [...]

  • Reese Witherspoon Kerry Washington Ryan Reynolds

    Market for Package Deals and Original Ideas Heats Up Ahead of Platform Launches

    Practically every studio in town wanted it, but in the end it was Apple that swept in to nab the reinterpretation of “A Christmas Carol” with Will Ferrell and Ryan Reynolds. To buy the highly coveted package, the tech giant was willing to shell out more than $60 million to the stars and the film’s [...]

  • Matt Lauer Times Up

    Time's Up Calls for NBC News to Make 'Structural Change' in Wake of Matt Lauer Rape Allegation

    Time’s Up — the anti-sexual harassment advocacy group launched by Hollywood celebrities — has responded to the ongoing sexual harassment allegations at NBC that continue to unfold this week following the release of Ronan Farrow’s new book. “Catch and Kill” details the investigative journalist’s experience reporting against systems of power, with much of the book [...]

  • Wilder Logo

    Paradigm’s Tom Windish Teams With Future Classic to Launch Wilder Label

    Future Classic and Paradigm agent Tom Windish today announce the formation of a new record label: Wilder, a singles oriented joint-venture set on creating a release pipeline for emerging young artists and bands. Wilder — named after Windish’s newborn son — launches today with the re-release of ”Applesauce” the first single from 19-year old Indiana-based [...]

  • Atlantic UK’s Ben Cook Steps Down

    Atlantic UK President Ben Cook Steps Down Over ‘Offensive’ Run-DMC Costume

    Atlantic UK president Ben Cook announced today that he is stepping down from his post due to an “offensive” appearance as a member of Run-DMC at a birthday party seven years ago. Parlophone co-president Mark Mitchell will take on the leadership of the label on an interim basis. “It is with great sadness that today [...]

More From Our Brands

Access exclusive content