HBO data breach bug bounty

Next story
Olivia Storey

The end of July saw a huge data breach with 1.5 terabytes of data stolen from HBO, but are they right to respond with a ‘bug bounty’ payment?

The hackers demanded a ransom that is worth six months of their salary, claiming they make $12 million to $15 million from stealing intellectual property and blackmailing companies.

HBO responded to the demand with a ‘good faith’ email asking for an extension on the deadline in return for a ‘bug bounty’ payment of $250,000 in bitcoin, as soon as they can acquire it. They were careful to use the term bug bounty, rather than ransom payment, as the phrase refers to a reward to good hackers for finding flaws in a company’s system.

Many companies use bug bounty programs to find security holes, however Mark James, ESET IT Security Specialist, discusses whether HBO’s decision to offer the hackers a bug bounty is in good judgement.

“It’s a difficult call for HBO, they are fully aware that paying the ransom is not a good idea, but in the initial stages a bug bounty could have been perceived as a compromise.

“When it comes to digital ransoms you have no guarantee’s you are going to get your goods back.

“You don’t really even know if they are the only ones that have a copy of the material, they may simply be the only people coming forward asking for money.

Bugbounty programs usually have a clear set of rules.

“These days the bug bounty programs incorporate the intelligence and expertise from others to help find the flaws or vulnerabilities, which, if done correctly, could and often does strengthen your overall security.

“HBO, and indeed any other major network, would not let anyone deep enough in their systems to have the opportunity to remove material that could affect ratings.

“We know that hackers can, and have, infiltrated networks that seem to be very secure. If evidence exists that some information has been stolen and demands are being issued, it makes sense to be cautious.

“We need to be optimistic that it can be resolved. It’s all about the public perception, covering up hacks and breaches is never good for PR or for public trust.

“Let’s be honest, no network or system is 100% secure. There are plenty of procedures and options for securing data and keeping it safe when you have full control.

“However, in their industry there are so many third parties involved it’s going to be difficult to achieve.”

What do you think of HBO’s decision to offer a bug bounty? Let us know on Twitter @ESETUK.

Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.