What's Scarier: Hackers, Human Error, or Cersei Lannister?

In the world of Westeros, the mythical land of HBO’s Game of Thrones* the Three-Eyed Raven can see all, past, present, and future: whether the Lannisters are put down once and for all, what happened to the First Men, and just who, if anyone, will survive the coming winter.

The rest of us though? We have to wait until Sunday nights. That is, unless we grab one of the many episodes that keep getting leaked prior to broadcast.

Game of Thrones’s leaking woes are a perfect illustration of the risks anyone with valuable information faces, whether businesses, law firms, or legal professionals. You’ve got your outside hackers (White Walkers, Targaryens, and the like), set on taking what’s not theirs, vendors and third-parties putting data at risk (the bumbling watchmen that seem to guard every beach, castle, and secret entryway in the Seven Kingdoms), your malicious insiders (basically everyone in Westeros), and simple human error. They’re all something to fear.

The Invaders Came, With Dragons

On July 30th, as the rest of us were getting ready for the latest GoT episode, hackers announced that they’d stolen a significant amount of data from HBO:

Hi to all mankind. The greatest leak of cyber space era is happening. What’s its name? Oh I forget to tell. Its HBO and Game of Thrones……!!!!!! You are lucky to be the first pioneers to witness and download the leak. Enjoy it & spread the words. Whoever spreads well, we will have an interview with him. HBO is falling.

The hackers claimed to have taken 1.5 terabytes of HBO data, a hack seven times the size of the 2014 Sony hack, by some estimates. Data purloined could include not just unreleased information on Game of Thrones, but potentially other significant documents such as employee data, corporate financial information, and embarrassing internal emails. Unreleased episodes of the HBO show Ballers were also stolen.

A group taking credit for the hack has demanded several million dollars in Bitcoin as ransom from the network, and released five scripts and some internal emails online in order to show that they’re serious. HBO has reportedly refused to pay up and is currently working with the FBI and Mandiant to investigate the breach.

HBO’s data breach came just as HBO was stepping up its campaign against the bootlegged episodes and illegal downloads that have made GoT the most-pirated T.V. show in recent history. When it came to protecting its property, HBO was looking a bit like the Night’s Watch—that is, not so good at keeping up its defenses.

Tell Cersei. I Want Her to Know It Was Me, In the India Office

So far this season, at least two full Game of Thrones episodes have been leaked online before airing, a third of all episodes. But the leaked videos don’t appear to have come from the hackers. Rather, a technology vendor for one of HBO’s distribution partners, Star India, seems to have been behind the first leak.

This isn’t too surprising, as third-party businesses and vendors have been involved in some of the biggest data breaches ever. These are the “bumbling guardsmen” of the modern data breach—partners who don’t know how to keep the outsiders out.

Take, for example, Target’s 2013 data breach which was traced back to a malware attack against the company’s HVAC vendor. Hackers were able to get control of the vendor's credentials, then used those to enter Target’s system, compromising the credit card information of 40 million customers.

And though the Target hack was much larger than most, the way it was accomplished was fairly typical. Indeed, 34 percent of respondents in a 2016 Ponemon Institute survey reported suffering a data breach due to a cyberattack on third-party vendors.

Unlike the Target data breach, however, the Star India leak doesn’t involve an unwitting vendor with weak cybersecurity protections. Rather, employees at the Star India's technology vendor may have intentionally stolen the video. Four individuals have been taken into custody in India as a result, the Indian Express reports, accused of “criminal breach of trust” and violations of Indian computer laws. These are more your Olena Tyrells than your inept watchmen, it seems.

Malicious insiders, too, are an all too common cause of data breaches. Insider data theft and privilege misuse is responsible for 15 percent of all data breaches, according to the 2017 Verizon data breach report. The majority of insider data theft, the report found, are done “in the hope of converting [stolen data] to cash somewhere down the line.”

Don't Forget Oberyn

Then there is episode six, the Game of Thrones episode that aired this Sunday but which was leaked online four days earlier. Actually, “leaked” might be generous, here. Rather, the episode was posted online to streaming subscribers of HBO Nordic and HBO Espana days in advance. The show was only available for one hour, but that was long enough for it to be copied and distributed widely.

Hackers and malicious insiders don’t appear to be responsible here. Rather, the premature broadcast seems to be the result of human error. “The error appears to have originated with a third party vendor and the episode was removed as soon as it was recognized,” HBO said in a statement to the AP.

While Game of Thrones depicts humans as occasionally vile, often bloodthirsty, and at times capable of great acts of bravery, most of us are just stupid—the kind of people who drink a barrel of wine before going on a boar hunt, or celebrate victory in a duel 30 seconds too soon, or promise their mom they'll stop climbing around the castle, then wind up peeping on some illicit Lannister affairs...

Humanity's innate disposition to just get things wrong every now and then makes human error largely inevitable (and why protecting against it, with simple, intuitive technology, is so important).

Perhaps this tendency to err is why, according to the Verizon report, data breaches due to simple mistakes were the fourth most common type of breach,  arising from causes such as "misdelivery of sensitive data and publishing errors, as opposed to malicious intent.”

Meanwhile, only one episode remains until this season of Game of Thrones concludes. Will HBO be able to hang on to it before Sunday’s season finale rolls around?

*Technically, Westeros is the mythical land of George R. R. Martin’s series “A Song of Fire and Ice,” we know.

This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.com or on Twitter at @caseycsull.