Netflix Hack: Key Lessons In The Economics Of Ransomware And Managing Third-Party Risk
Netflix recently experienced a third-party breach. The data lost is Season 5 of Orange is the New Black, which is original Netflix content. Many are calling it the largest entertainment industry hack since Sony. I guess that is right, but how bad is it really?
First, here is what happened. Netflix transferred season five to their post-production third party in Los Angeles, Larson Studios, for sound mixing and editing. Larson does the post work for at least 25 episodics that run on Fox, ABC, IFC and Netflix. It was Larson Studios that was hacked and, according to thedarkoverlord (TDO), they made off with not just Netflix content but network content as well, putting at risk the release of Documentary Now, Portlandia, Fargo and many others. TDO contacted Netflix and asked for a bitcoin ransom or it would dump their content for download. Netflix refused to be extorted and TDO made good on its threat.
That got me thinking…was Netflix right to not pay the ransom? What was the real impact of that decision? Can networks and studios do the same thing? Are they inoculated from third party damage because of their industry or their product? Let’s find out.
1. Was Netflix right to not pay the ransom? Yes. If I have learned anything from the state department it’s that we don't negotiate with terrorists. For Netflix, there is no reason to overreact or go to great lengths to explain the impacts. If you do an impact analysis, you see that it has a medium reputational risk, a low financial risk and no regulatory risk. With that kind of risk analysis, you don’t pay a ransom.
2. What was the real impact of that decision? Netflix and Amazon Video both create new content and drop the entire series at once on a release date. From a risk perspective, it’s a smart move. It takes the gun out of the hands of the hacker. What makes the streaming content a very different revenue and risk model is the subscription based revenue. No one is going to cancel their Netflix account because they can download season five of OITNB somewhere else. The business model is resilient in that way. They have nothing to lose except a premier. That is the best you can hope for when you are the victim of a massive third party breach.
3. Are traditional network and studio companies equally resilient? This is where the breach gets bad for some companies. Episodic television must recoup production money through advertising and studios rely on box office sales. Who wouldn't want to watch a new season of Documentary Now on IFC without the commercials? It's like free Netflix! Who in their right mind would advertise in that spot? No one. The film Fury was part of the Sony breach and it bombed at the box office because people could see it for free. There is a financial impact on networks and studios because of their revenue model. This is a risk that requires serious management and mitigation and TDO still has data to dump. Who will be next and will they pay the ransom?
4. Are they inoculated from third party damage because of their industry or their product?The whole entertainment industry sort of gets a pass because it’s entertainment. These are product marketing companies that market entertainment content. When they are breached we hardly hear about it because credit card or health records were not lost, so as a consumer, I don't really care. It didn’t impact me at all. Frankly, it didn’t impact Netflix either.
5. Is this an industry worth extorting?No. Why would you pay a ransom for a content release when the financial impact is so low? The only financial impact for Netflix is paying the hackers. That would literally be the ONLY financial impact. So, don’t pay it and you don’t lose money. Hospitals and banks may pay ransom because the loss of the data results in regulatory fines of $250,000.00 in some cases. Paying a ransom of $66,000.00 might be worth it to not have patient records exposed but not entertainment content. Again, no one cares. TDO should find a new industry to extort because this one will not be a money maker for this kind of hacking.
Managing third party risk is extremely important. It’s not just post facilities, but external payroll companies, law firms, accountants, temp agencies and many others that have a company’s confidential data and it is extremely important to manage the security of those third parties. This might be a good time to remind the studios that the Motion Picture Association of America has a third party self-assessment checklist with more than 300 assessment criteria to assess the security of third parties including content transfer and management. Get to know it. It might just help the industry get more secure.
By the way, Netflix stock is up 25% for the year and up 5% for the month. Let me know what you think! I welcome the debate.