A group taking credit for the hack has demanded several million dollars in Bitcoin as ransom from the network, and released five scripts and some internal emails online in order to show that they’re serious. HBO has reportedly refused to pay up and is currently working with the FBI and Mandiant to investigate the breach.
HBO’s data breach came just as HBO was stepping up its campaign against the bootlegged episodes and illegal downloads that have made GoT the most-pirated T.V. show in recent history. When it came to protecting its property, HBO was looking a bit like the Night’s Watch—that is, not so good at keeping up its defenses.
Tell Cersei. I Want Her to Know It Was Me, In the India Office
So far this season, at least two full Game of Thrones episodes have been leaked online before airing, a third of all episodes. But the leaked videos don’t appear to have come from the hackers. Rather, a technology vendor for one of HBO’s distribution partners, Star India, seems to have been behind the first leak.
This isn’t too surprising, as third-party businesses and vendors have been involved in some of the biggest data breaches ever. These are the “bumbling guardsmen” of the modern data breach—partners who don’t know how to keep the outsiders out.
Take, for example, Target’s 2013 data breach which was traced back to a malware attack against the company’s HVAC vendor. Hackers were able to get control of the vendor's credentials, then used those to enter Target’s system, compromising the credit card information of 40 million customers.
And though the Target hack was much larger than most, the way it was accomplished was fairly typical. Indeed, 34 percent of respondents in a 2016 Ponemon Institute survey reported suffering a data breach due to a cyberattack on third-party vendors.
Unlike the Target data breach, however, the Star India leak doesn’t involve an unwitting vendor with weak cybersecurity protections. Rather, employees at the Star India's technology vendor may have intentionally stolen the video. Four individuals have been taken into custody in India as a result, the Indian Express reports, accused of “criminal breach of trust” and violations of Indian computer laws. These are more your Olena Tyrells than your inept watchmen, it seems.
Malicious insiders, too, are an all too common cause of data breaches. Insider data theft and privilege misuse is responsible for 15 percent of all data breaches, according to the 2017 Verizon data breach report. The majority of insider data theft, the report found, are done “in the hope of converting [stolen data] to cash somewhere down the line.”
Don't Forget Oberyn
Then there is episode six, the Game of Thrones episode that aired this Sunday but which was leaked online four days earlier. Actually, “leaked” might be generous, here. Rather, the episode was posted online to streaming subscribers of HBO Nordic and HBO Espana days in advance. The show was only available for one hour, but that was long enough for it to be copied and distributed widely.
Hackers and malicious insiders don’t appear to be responsible here. Rather, the premature broadcast seems to be the result of human error. “The error appears to have originated with a third party vendor and the episode was removed as soon as it was recognized,” HBO said in a statement to the AP.
While Game of Thrones depicts humans as occasionally vile, often bloodthirsty, and at times capable of great acts of bravery, most of us are just stupid—the kind of people who drink a barrel of wine before going on a boar hunt, or celebrate victory in a duel 30 seconds too soon, or promise their mom they'll stop climbing around the castle, then wind up peeping on some illicit Lannister affairs...
Humanity's innate disposition to just get things wrong every now and then makes human error largely inevitable (and why protecting against it, with simple, intuitive technology, is so important).
Perhaps this tendency to err is why, according to the Verizon report, data breaches due to simple mistakes were the fourth most common type of breach, arising from causes such as "misdelivery of sensitive data and publishing errors, as opposed to malicious intent.”
Meanwhile, only one episode remains until this season of Game of Thrones concludes. Will HBO be able to hang on to it before Sunday’s season finale rolls around?
*Technically, Westeros is the mythical land of George R. R. Martin’s series “A Song of Fire and Ice,” we know.This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at firstname.lastname@example.org or on Twitter at @caseycsull.