How much has “Mr Smith” really stolen from HBO?
So far, only he (actually “they” – “Smith” has said he speaks, “on behalf of my colleagues”) knows for sure.
But, a couple of weeks since the announcement of the hack landed in the inboxes of an unknown number of selected entertainment reporters, everybody now knows what they want: money. Somewhere in the $6m to $7.5m range, if you believe their claim that this is what they usually make for six months of “work”.
And while HBO’s initial response included some pleasantries and an offer of $250,000 (not even close to the ransom demand) as a “bug bounty”, that was before the leaks continued.
After the latest, on Sunday, which included several episodes of a new season of Curb Your Enthusiasm, not due to air until October, plus episodes of Ballers, Barry (not set for release until next year) and The Deuce (set for September) its rhetoric became much more openly hostile. A portion of a statement to the press after that leak declared:
We are not in communication with the hacker and we’re not going to comment every time a new piece of information is released … The hacker may continue to drop bits and pieces of stolen information in an attempt to generate media attention. That’s a game we’re not going to participate in.
Quite a change in tone from a July 27 email from HBO executive John Beyler, thanking the group and offering the “bug bounty for making us aware” of previously unknown security vulnerabilities.
Which likely means HBO is spending its money and time trying to find and shut down the hackers rather than negotiate – not that the two sides were even in the same ballpark. HBO’s “offer”, which reportedly was more of a stalling tactic, was about 4% of the hackers’ minimum demand, which they have said is non-negotiable.
So HBO’s next move, if there is one, will probably depend on how much damage the company thinks Smith and Co. can do. And that remains hazy.
The hackers have made extravagant claims. A July 23 video message to HBO CEO Richard Plepler that Mashable posted last week, of scrolling text accompanied by background music from the network’s super-hit Game of Thrones (GoT) soundtrack, is a grammarian nightmare of disjointed, rambling detail. They said they have:
… highly confidential Documents, IT related data, Scripts and etc. these data dump, as you will see, contains HBO’s Various Contracts, Mutual Agreements, Human resources, internal structure, International affiliates, Business strategies, international Marketing, IT infrastructures, producing films & Series (with very detail info!), budget detail for major operations, how you sell and how much!, various strategic insights in every aspects, confidential research, internal letters & Tax Evading Proofs! & Nielsen’s Dirty Job! & etc.
Also, we obtained full scripts and cast list of your (and our) very popular TV series; Game of thrones S7 … we obtained enormous amount of Full scripts and full length films and series which will be broadcast in upcoming months!
But, as various observers have noted, the material posted so far is vastly short of the 1.5 terabytes of data they claim to possess – a single terabyte can hold an estimated 500 hours of video.
Not that it is trivial. Besides Sunday’s leak, it includes multiple scripts from upcoming GoT episodes, pending episodes of other shows like Ballers and Room 104, a month’s worth of email from the account of HBO’s vice president for film programming, and internal documents including marketing spreadsheets, media plans for GoT, a report of legal claims against HBO and job offer letters to top executives.
What it hasn’t included is the kind of information that inflicted such damage on Sony when it was hacked, allegedly by North Korea, in 2014 – personal information including salaries and Social Security numbers of nearly 50,000 current and former employees, contact information for Hollywood stars, plus a trove of thousands of embarrassing executive emails along with several unreleased movies. That led to a multi-million-dollar settlement with Sony employees.
The views of how much trouble this is for HBO are mixed. The Wall Street Journal called it a“prolonged crisis … Hanging over HBO now is the daily threat of leaks of sensitive information …”
But Deadline suggested the piddling $250,000 offer to the hackers means there is “more smoke than fire,” to their claims.
Indeed, Plepler continued to insist last week that “we do not believe that our e-mail system as a whole has been compromised, but the forensic review is ongoing”.
Amid the speculation, however, for a while the correspondence, from both sides, sounded a bit like a script from an alternate reality show. In what was obviously a ransom note, “Mr Smith” overflowed with compliments to Plepler, saying HBO was “one of our difficult targets to deal with,” called the network, “pioneering in TV programming worldwide,” and declared, “we are your fans as are many other ordinary people”.
Smith said his is a group of “white-hat hackers … (who) don’t want to endanger HBO’s situation nor causing to lose its reputation. We want to be your partner in a tiny part of HBO’s huge income.”
He then demanded that “You pay our 6 month salary in bitcoin and we get away from your map,” which they should simply consider compensation for “a huge pentest” by a group of “IT professionals.” While he listed the demand as “XXXX dollars,” he claimed – without offering a shred of evidence, of course – that the group generally makes $12m to $15m a year. He also claimed HBO is the group’s 17th target, that only three of their previous victims have refused to pay, and said the group spends up to $500,000 a year on zero-day exploits.
Beyler’s response was eerily polite as well, taking the tone that these are indeed white-hat hackers and not common criminals. Along with the “good faith” offer of the “bug bounty” of $250,000, he wrote, “You have the advantage of having surprised us. In the spirit of professional cooperation, we are asking you to extend your deadline for one week.”
Variety and others reported that the offer wasn’t considered serious – that it was just a stalling tactic.
All of which means, by the time the dust (and the money) settles, this could be considered a candidate for a few episodes of yet another HBO show – Silicon Valley.
Bryan
There’s a little extra code in the Variety link, penultimate paragraph.
Interesting concept: assault someone’s digital defenses and then claim to be a business partner. Good move on HBO’s part to start friendly, but I hope they get busted hard like every other common criminal.
Kate Bevan
Dammit, thought I’d fixed that before I hit the publish button – thanks, *now* fixed!