Tag Archives: Third party vendor risk management

Orange is the New Hack … er, Black

Netflix might be the new Sony. As a result of the Sony breach, 5 full length movies were released on pirate movie web sites.  Among the movies released were Annie and Fury, along with three others.

Now Netflix is in the hackers’ radar.  In addition to the entire new season of Orange is the New Black, the hacking group The Dark Overlord claims to have stolen more than 30 titles, either movies or TV series.  Examples include The Arrangement, The Catch, Bill Nye Saves The World and Rebel in the Rye.

How The Dark Overlord got this is by hacking into a third party vendor that the studio uses for audio post production named Larson Studios.

After Larson was hacked, The Dark Overlord attempted to extort money from Larson and the Studios.  Databreaches.net obtained a copy of a contract with The Dark Overlord for 50 Bitcoin (approximately $75,000 at today’s prices).  Netflix refused to pay. The Dark Overlord released some of the titles.  According to Databreaches, there didn’t seem to be much of a demand for the titles – or perhaps the studios were playing it cool trying to avoid paying the ransom, but now at least some of the titles are out there – maybe more will come out soon.

The main message here is that, like Target, The Home Depot, The Office of Personnel Management and now Netflix, third party business partners are often the source of the biggest breaches around.

We have not heard the details of how Larson Studios was hacked and possibly never will, but what we do know is that 37 titles that the studios trusted to Larson are now out of their control.  Out of Larson’s control and out of the studio’s control.

Depending on what the hackers decide to do, some significant chunk of revenue – whether it is TV advertising revenue or DVD sales or other revenue channels – are at risk.

This means is that unless businesses take third party vendor risk management seriously, these problems will continue to happen.  While Netflix is not likely to go out of business over this, it is both embarrassing to the company and embarrassing to the vendor.  And likely pretty expensive for both of them.

A formal vendor risk management program is not a get out of jail free card, but often it WILL BE the difference between a vendor being hacked and not being hacked.  We do not know and may never know if Larson Studios was  specifically targeted or was a target of opportunity.  Assuming it was the first, then a vendor risk management program would likely have stopped the attack before it started.  If it was the second, then it is a much more difficult answer, but it may well have stopped them.

At least would have made the attackers work to succeed.

Information for this post came from Variety and Databreaches.