‘Orange Is the New Black’ Leak Shows: Hollywood Cybersecurity Lives and Dies With Third-Party Vendors

orange is the new black season
Courtesy of Netflix

This weekend’s leak of the upcoming fifth season of Netflix’s “Orange Is the New Black” may turn out to be Hollywood’s biggest breach since the Sony hack in 2014. But security experts aren’t surprised by the incident, even as details about it still emerge. That’s because many have been warning of weak security at third-party vendors for years.

“Third-party vendors have been a problem for a long time and will continue to be in the future,” said PwC principal Mark Lobel during an interview with Variety Saturday. Lobel declined to specifically comment on this weekend’s Netflix leak, which appears to be based on a security breach at Larson Studios, an audio post-production company that has also been working on shows like “Fargo,” “Designated Survivor” and “NCIS Los Angeles.” But he argued that security for third-party vendors continues to be a weak link for Hollywood.

The big Hollywood studios in particular have put a lot of efforts into improving their security after the Sony hack, which saw hackers likely associated with North Korea breach the company’s networks and release over 170,000 emails as well as 30,000 internal documents — many of which later were published on Wikileaks.

“The studios have raised the bar significantly in the last two, three years,” agreed Lobel. But those same multi-billion-dollar media companies continue to work with a huge network of third-party vendors, which are increasingly spread all across the globe.

Visual effects, subtitles, color grading, audio post-production and many other specialized tasks are routinely outsourced to other companies. Some of them are sizable players of their own, but others just have a dozen or fewer employees. Studios may audit the security of these vendors, but even the best audit only provides a snapshot of a single point in time, and doesn’t guarantee that an employee at one of those vendors won’t fall for a phishing scam the following week.

What’s more, security threats continuously evolve, forcing the Hollywood to catch up. “This is a game of chess with no kings,” said Lobel. Studios and their security teams can try to adapt to new threats, but small shops with a handful of employees may eventually slip up. “The third-party vendor has to be good all the time, the hacker only needs to be lucky once,” said Lobel. “It does not surprise me to see someone target a third-party vendor.”

In many ways, breaches like the one that now targeted Netflix and Larson Studios almost seem inevitable. Which begs the question: What should a company do when the worst has happened? The hackers who released “Orange Is the New Black” claimed they did so only after Netflix didn’t pay their ransom demands, and may be threatening ABC, Fox, IFC and NatGeo with similar demands.

“There is no right answer to the question whether it’s right for the companies to pay ransom,” said Lobel. On the one hand, giving in to such demands could obviously encourage further threats and finance criminals. But Lobel also acknowledged that companies targeted by ransom demands often do pay because they decide that not paying may be catastrophic to their bottom line.

In the end, Hollywood may be best advised to take this latest scare as a warning to not only improve security in-house, but also at third-party vendors — even if that means paying a bit more. Said Lobel: “Security controls are necessary overhead, but still overhead.”