In December, hackers impersonating an executive at Interscope Records, the record label owned by Universal Music Group, managed to bypass all the latest in digital defenses with a simple email.
In a carefully tailored message, the hackers urged an executive at September Management, a music management business, and another at Cherrytree Music Co., a management and record company, to send them Lady Gaga's stem files ??? files used by music engineers and producers for remixing and remastering.
With a click of a button, the files made their way into hackers' hands, according to three people who are familiar with the episode but are not allowed to discuss it publicly. Executives would not elaborate on the incident, and it is unclear what happened to the files.
The heist — which has not been reported previously — was a classic example of how hackers exploit the weakest link in the extensive chain of vendors, post production studios and collaborators that corporations must trust with their most valuable intellectual property.
In Hollywood, cybercriminals have found a lucrative niche: While they may not be able to break into a Universal Studios or a Netflix directly, they have learned that the highest-profile targets are supported by a system of soft targets — content collaborators, remixers, postproduction studios and others — that do not have the same resources, security technology or sense of paranoia. And the hackers have started capitalising.
Last month, a hacker or hackers using the pseudonym "TheDarkOverlord" leaked unreleased episodes of the Netflix hit series Orange Is the New Black after breaching Larson Studios, one in a long line of post production players that Netflix relies on to tailor its content for high-definition television.
TheDarkOverlord released Netflix episodes after Larson Studios, and then Netflix, did not pay a ransom of 30 bitcoins, roughly $US45,000. Now, that same hacker has threatened to leak content from Larson's other clients, including ABC, Fox, National Geographic and IFC, if the studios do not pay.
In a message posted to Twitter, the hacker said: "Who is next on the list? FOX, IFC, NAT GEO, and ABC. Oh, what fun we're all going to have. We're not playing any games anymore." A couple of days later, TheDarkOverlord hinted that the next leaks were imminent: "It's nearly time to play another round".
For now, Hollywood studios say they have no intention of paying hackers' ransom, though they could pay dearly in lost revenue and viewers.
"We see this over and over and over again," said Oren Falkowitz, chief executive of Area 1, a security company. "The problem is that security firms sell their software to the 1 per cent of companies that can afford it, but the real damage continues to come from below."
The security weaknesses of vendors are increasingly the weaknesses of their clients, no matter how fortified their own networks.
The vast majority of breaches — 80 per cent by some estimates — stem from a supplier or vendor, according to RiskVision, a risk intelligence company. At Target, hackers stole tens of millions of credit card details by penetrating a tiny Pittsburgh refrigeration company that had been given access to the retail chain's network.
Chinese state hackers breached the defence contractor Lockheed Martin through RSA, a company it had entrusted to secure employees' web connections. Hackers breached an oil company through a PDF of a Chinese takeaway menu.
Falkowitz, other security executives and insurance underwriters say the status quo is untenable. Security companies have promised to protect their clients from cyberattacks, while ignoring the less secure vendors, consultants and distributors in clients' supply chains.
Area 1 has started extending its services to its clients' principal vendors as part of its core offering, something most security companies have been reluctant to do.
"It's our job to protect your business," Falkowitz said. "We're not going to sell software to every five-person mom-and-pop shop, so why not extend our services to those vendors for free?"
Companies like BitSight Technologies and SecurityScorecard have developed a rating system that allows corporations and government agencies to evaluate how hacker-friendly vendors and other third parties are.
BitSight uses a scoring system of 250 to 900, similar to a credit score. SecurityScorecard gives grades from A to F.
"You could have the most technically secure organization in the world, but the common denominator is people, and they are always susceptible," said Jay Kaplan, chief executive of Synack, a security company.
The New York Times