A hacker group known as "The Dark Overlord" leaked 10 upcoming episodes of Netflix's original series Orange Is the New Black after allegedly breaching a third-party partner. The hacker group claimed that Netflix refused to pay a ransom before leaking the episodes online on April 29, warning that other media outlets will be next.
In a statement sent to multiple media outlets on April 29, Netflix stated that it was aware of the situation.
"A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved," Netflix stated.
The New York Times reported that Larson Studios was the source of the breach. Larson Studios promotes itself as a full-service audio post-production company and works on many well-known Hollywood shows, including ABC's Designated Survivor and CBS' NCIS: Los Angeles.
Although the hacker group has claimed that Netflix did not pay the ransom, it's not clear at this point if Netflix or its third-party audio production studio was the victim of a ransomware attack or just a simple attempt at extortion. In a ransomware attack, a hacker, after gaining access to a victim's content, encrypts the data and demands a ransom in order to decrypt the content. Ransomware attacks have been a growing threat in recent years according to multiple vendor reports, including the recent 2017 Verizon Data Breach Investigations Report (DBIR), which identified a 50 percent year-over-year increase in attacks.
Netflix isn't the first media company to be attacked with some form of ransom demand. Sony was the victim of a ransomware attack in 2014 that led to the leak of the movie The Interview. In February 2015, Sony estimated the losses due to the ransomware cyber-attack at $35 million. The Sony attack, however, is substantively different from the one against Netflix, as it was a direct attack and not one made indirectly against a third-party partner.
Netflix is somewhat different from Sony in other respects as well. Most notably, Netflix is a cloud-first organization, with nearly all of its technology and content delivered from the public cloud, as opposed to using its own data center assets.
Netflix, however, isn't just a user of the public cloud; it is also a cloud innovator, developing and releasing all manner of open-source software projects to help improve cloud deployments. Among Netflix's open-source project's is Security Monkey, which monitors Amazon Web Services (AWS) and Google Cloud Platform (GCP) accounts for policy changes and insecure configurations.
Yet despite Netflix's diligence in its own cloud security, it is now apparent that it wasn't enough to stop hackers from stealing content. What must now be painfully obvious to Netflix (if it wasn't before) is the simple truth that its security is only as strong as the weakest link—in this case, a third-party post-production audio mixing company.
Although content development doesn't follow the exact same model as software development, there are similar security concerns, as well as similar approaches that can be used to reduce risk. The idea that it is necessary to understand the risk of a distributed software supply chain is not a new one, with multiple vendors, including SecurityScorecard, in the market today with services to help rate the security of third-party vendors. There is also a broad open-source effort called in-toto that aims to enable a more secure software supply chain model that builds on security of The Update Framework (TUF) for secure software updates.
While the Orange Is the New Black leak is the latest high-profile example of risk in the distributed online development model, it likely won't be the last.
No one vendor or studio is an isolated island, and hackers will always find and target the weakest link to exploit victims. Security is a shared responsibility, with vendors, partners, end users and law enforcement all having a role to play. Hopefully in the weeks ahead, Hollywood studios big and small will be talking with their partners to take the necessary steps to limit risk.