Call it "Orange is the new hack": Over the weekend, news broke that the upcoming fifth season of Netflix's blockbuster jailhouse series was leaked due to a security breach at the streaming giant’s post-production studio.
Variety reported that the hacker, who goes by the name of “TheDarkOverlord,” has attempted to leak all 10 episodes of the new season of Orange is the New Black, set to air June 9, after demands for an undisclosed amount of money went ignored. Further, the bad actor is also threatening to release new episodes of shows from FOX, ABC and other networks who use the same third-party vendor, like New Girl.
“We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved,” Netflix said in a statement to the outlet.
TheDarkOverlord apparently, according to a tweet, attempted to post the episodes or at least information about them to GitHub, which removed the content, then Pastebin, which did the same. However, a link at Pirate Bay for the first episode (which we won’t link to) appears to be working.
Third-party vendors have become a classic attack vector, perhaps most memorably illustrated in the Target breach, where a compromise at the retail behemoth’s HVAC vendor allowed hackers to penetrate the main network. According to Brad Keller, senior director of third-party strategy at Prevalent Inc., the issue highlights the fact that managing risk at third-party vendors isn’t limited to regulated industries like banking and healthcare.
“Outsourcing critical services has become a way of life for companies in all industries, making the need to manage third-party risk a universal requirement,” he told Infosecurity. “The debate over whether to pay ransom demands shouldn’t divert attention from the need to proactively manage all of the risks presented from outsourcing. In addition to customer data and access to sensitive systems, those risks include: protecting all forms of intellectual property, merger and acquisition information, litigation strategies, and any other information a company wants/needs to protect. While this was a hard lesson learned for Netflix, hopefully it will cause other companies to take a closer look at what they may have at risk at their vendors."
Jake Olcott, former legal advisor to the Senate Commerce Committee, counsel to the House of Representatives’ Homeland Security Committee and vice president at BitSight, noted that TheDarkOverlord could preside over millions of dollars in intellectual property losses should it make good on its threats.
"Hollywood creates some of the most sensitive intellectual property in the world in the forms of movies, music and television shows,” he noted by email. “The number of organizations and people with access to that content prior to official release presents a huge cybersecurity risk and challenge, and this is a major wake-up call. Just as we've seen from other targeted sectors like finance and retail, expect a huge effort from the media/entertainment leaders to require better cybersecurity across the ecosystem."