Disney hacking shows why companies shouldn't succumb to digital blackmail, experts say

Key Points
  • Some companies are keeping bitcoin handy in case of a ransomware breach, one expert says.
  • Regardless, cybersecurity veterans agree: "No, don't pay the ransom."
  • Paying up is "like The Sopranos," as cyber-crooks will just keep coming back to collect
CEO of the Walt Disney Company, Bob Iger
Getty Images

Last week, Walt Disney CEO Bob Iger reportedly informed employees that hackers had infiltrated the company and stole a copy of the latest installment of "Pirates of the Caribbean" franchise, due out on May 26. According to The Hollywood Reporter, the suspected perpetrators demanded a ransom, or they would release the movie in 20-minute increments if Disney failed to pay up.

The incident followed the recent theft of 10 episodes of Netflix's new season of "Orange is the New Black," which was released on the Web after the company refused to pay up. A Twitter user called "The Dark Overlord" claimed responsibility, warning ominously that the release was only just the beginning.

"Who is next on the list? FOX, IFC, NAT GEO, and ABC. Oh, what fun we're all going to have. We're not playing any games anymore."

Thus far, Disney has refused to cooperate, raising the possibility that "Pirates" could hit the Internet before its planned release date. Yet in an era where data breaches are becoming increasingly commonplace, several experts said Disney—and companies that find themselves in a similar predicament—should take a hard line with cyber-terrorists.

"No, don't pay the ransom," said Tom Kulik, an intellectual property lawyer at Scheef & Stone law firm in Dallas, told CNBC.

"More and more frequently, hackers responsible for ransomware attacks take the money and provide no (or inadequate) means to decrypt the files after payment. Sometimes, they even attempt to extort more," Kulik explained.

By not paying a ransom immediately, "Disney is taking the right approach because there is nothing they can do to prevent the hackers from leaking the movie right now, so paying any ransom solves nothing," he added.

Although paying the ransom is hardly a new approach, it's clear some firms realize their approach to security may be lacking and paying might be the way out.
Terence Goggin
director, Alvarez and Marsal

The widespread ransomeware attack that took place over a week ago, as well as breaches against Disney, Netflix and Sony in 2014, underscore the vulnerabilities media companies must address in the digital era.

Because most movies are distributed electronically—a far cry from the days when homemade DVDs recorded with hand-held cameras were sold on street corners—piracy and hacking is an ever present threat for movie companies. Some are preparing accordingly.

"I'm personally aware of several financial institutions that have started keeping a stock of digital currency on hand, should they find themselves victims of ransomware," Terence Goggin, a director with consulting firm Alvarez and Marsal consulting firm, told CNBC.

"Although paying the ransom is hardly a new approach, it's clear some firms realize their approach to security may be lacking and paying might be the way out," he added.

Scheef & Stone's Kulik recommended that studios get in the habit of encrypting their files, "and limit access to a handful of individuals who can act as gatekeepers to them."

Like 'The Sopranos'

James Gandolfini as Tony Soprano
Source: HBO | The Sopranos | Facebook

Netflix is an example of a company that refused to play ball with digital blackmailers, a strategy that experts said other companies should follow. In that case, the streaming giant's loyal users and limitless catalog helped contain the fallout.

"The number of people who would cancel their Netflix accounts, or not buy one because of the release of this one season of one show, must be tiny," Andrew McDonnell, president of the security consulting company AsTech, said.

Disney's risks, however, might be slightly higher, given that a premature release of "Pirates" could lead to bad word of mouth from fans and reviewers.

Rick Holland, vice president at the digital risk management firm Digital Shadows, likened paying hackers to mafia extortion tactics. "Just like in 'The Sopranos,' once you pay them out, they will continue to stop by to collect their funds," he said, invoking the hit HBO television show.

"Once [a company's] intellectual property is stolen, there is little chance of recovering it," Holland added, primarily because the material is so easy to replicate. "Instead, they need to investigate and determine how the attackers compromised their environment."

If studios aren't willing to put their efforts into prevention, there are other ways they can deal with their losses. Goggin said that hacked companies could turn their misfortunes into opportunities.

"Netflix could, for example, simply offer the stolen episodes for free as a 'trial' of their service," he suggested. "While this isn't an option for everyone who has had their data stolen, it can help to discourage future thefts by removing the financial incentive."

Reg Harnish, CEO of GreyCastle Security, said that the movie studios and streaming services should deal with their misfortunes by calling the authorities, keeping a stiff upper lip and doing what they do best.

"Call the FBI, then go make more movies," he said.