This weekend’s leak of the upcoming fifth season of Netflix’s “Orange Is the New Black” may turn out to be Hollywood’s biggest breach since the Sony hack in 2014. But security experts aren’t surprised by the incident, even as details about it still emerge. That’s because many have been warning of weak security at third-party vendors for years.
“Third-party vendors have been a problem for a long time and will continue to be in the future,” said PwC principal Mark Lobel during an interview with Variety Saturday. Lobel declined to specifically comment on this weekend’s Netflix leak, which appears to be based on a security breach at Larson Studios, an audio post-production company that has also been working on shows like “Fargo,” “Designated Survivor” and “NCIS Los Angeles.” But he argued that security for third-party vendors continues to be a weak link for Hollywood.
The big Hollywood studios in particular have put a lot of efforts into improving their security after the Sony hack, which saw hackers likely associated with North Korea breach the company’s networks and release over 170,000 emails as well as 30,000 internal documents — many of which later were published on Wikileaks.
“The studios have raised the bar significantly in the last two, three years,” agreed Lobel. But those same multi-billion-dollar media companies continue to work with a huge network of third-party vendors, which are increasingly spread all across the globe.
Visual effects, subtitles, color grading, audio post-production and many other specialized tasks are routinely outsourced to other companies. Some of them are sizable players of their own, but others just have a dozen or fewer employees. Studios may audit the security of these vendors, but even the best audit only provides a snapshot of a single point in time, and doesn’t guarantee that an employee at one of those vendors won’t fall for a phishing scam the following week.
What’s more, security threats continuously evolve, forcing the Hollywood to catch up. “This is a game of chess with no kings,” said Lobel. Studios and their security teams can try to adapt to new threats, but small shops with a handful of employees may eventually slip up. “The third-party vendor has to be good all the time, the hacker only needs to be lucky once,” said Lobel. “It does not surprise me to see someone target a…