10 Years Post-Sony Hack, Hollywood Isn’t Ready for Next Big Cyberattack

When it comes to cybersecurity, it remains doubtful whether Hollywood can truly, well, hack it.

A full decade on from the infamous Sony Pictures hack — the studio discovered the breach 10 years ago this week, on November 24, 2014 — the entertainment industry is more reliant on technology and IT infrastructure than ever. And yet cyberattacks remain a persistent and seemingly unshakable headache for Hollywood, with a number of high-profile hacks hitting companies like Roku and Disney this year.

This follows a record-breaking high for U.S. cyberattacks in 2023, which saw more than 3,200 data compromises in the U.S. alone, according to figures tracked by the nonprofit Identity Theft Resource Center.

And while 2024 is unlikely to match that tally, per the ITRC’s latest quarterly report, the number of cyberattack victims year-to-date through Q3 is already more than triple that of full-year 2023, thanks to a handful of massive breaches. Nearly all of AT&T’s cellular customers — 110 million individuals — were affected by an April hack, while May’s Ticketmaster breach may have impacted as many as 560 million customers.

And it’s not just consumer data that’s targeted in such hacks, as anyone who worked at Sony in 2014 could tell you. This year’s attack on Disney by “hacktivist” group Nullbulge, for instance, resulted in numerous internal communications and company data being leaked online.

These attacks come with the territory, in a sense; more reliance on digital business models and increased collection of user data means greater incentives for hackers to target a company. Despite the obvious threat, however, Hollywood studios’ attempts to transform themselves into something resembling tech companies over the past decade have not produced the infrastructure necessary to thrive in the digital age.

One arguably need only look at the traditional studios’ abysmal streaming user interfaces for proof of that, but more concrete data is also available.

An August study by Unit 42, the research arm of cybersecurity company Palo Alto Networks, found that the media & entertainment industry experiences by far the highest monthly growth in attack surface, the term for the total number of points within a software environment that are vulnerable to a cyberattack.

While reducing the size of one’s attack service is seen as a basic cybersecurity strategy, Unit 42’s research shows a typical company in the M&E sector adds nearly 7,500 new services (i.e., vulnerable points) to its attack surface each month — new services that “alone account for nearly 32% of new high or critical exposures for organizations,” the August report says.

And even as the proverbial “next Sony hack” never really arrived in the decade since — no subsequent cyberattack in the media sector came close to matching the scale and fallout of the 2014 breach — it seems likely, if not inevitable, that it’s only a matter of time until it does arrive.

Consider, for instance, the fact that generative AI can now be leveraged for devastating cyberattacks. In a Deloitte survey of the chief information security officers from all 50 U.S. state governments this year, AI-aided attacks were ranked as one of the top three potential threats, while 41% of CISOs surveyed said they were “not very” or “not at all” confident they could protect their states from such attacks.

If state governments — whose attack surfaces grow by only 150 new services per month, per the Unit 42 study — aren’t confident in their abilities to fend off AI, the entertainment industry must be ill equipped indeed to defend itself.

The irony that the same technology studios are so eager to harness for the creative process poses such a threat to their security almost goes without saying. Yet this is indicative of the approach Hollywood has taken to entering the tech business: a rush to seize upon the technology of the moment, without the consideration or expertise needed to help ensure success.

One would hope that, given the punishing journey they’ve taken with streaming, the studios might have learned a lesson or two that can be applied to their cybersecurity operations.