
Not another Sony?
Sony experienced similar euphoria with their breach in 2014 and theft of a few movies; but their breach had deep security ramifications, from emails to financials. The negative press and effect on senior executives rippled through the company and industry with unparalleled waves. We would hope media companies would have learned some hard lessons from that breach; but apparently not. To that end, it is important to note that Netflix themselves did not leak the series in a breach like what happened with Sony. The digital copies were stolen from Larson Studios, an audio production company authorized to have copies for automatic dialogue replacement. The hackers (TheDarkOverlord), claims Larson agreed to pay the ransom but in fact did not and now they are trying extort money from Netflix. To make this situation worse, the studio produces work for several major US TV studios. This breach, and subsequent torrent episode releases (the first 10 from the latest unreleased season) may just be the tip of the iceberg for stolen media. And, for those in the business, this fact emphasizes the weaknesses in any supply chain and the ramifications of security flaws along the entire workflow when multiple companies share information with a single vendor that is not properly segregated. As for the breach itself, in a public comment from the hacker, they indicated "You're going to lose a lot more money in all of this than what our modest offer was. We're quite ashamed to breathe the same air as you. We figured a pragmatic business such as yourselves would see and understand the benefits of cooperating with a reasonable and merciful entity like ourselves. And to the others: there's still time to save yourselves. Our offer(s) are still on the table - for now." Clearly, reasonable is out of the question and extortion and ransom are their only goals.

Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.