Anatomy of a Breach

Anatomy of a Breach: HBO — Game of Thrones Scripts Leaked and a $6 Million Ransom Demand

> series: anatomy_of_a_breach —— part: 104 —— target: hbo —— stolen: 1.5TB —— ransom_demand: $6,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2017 11 min read
data-breach hbo game-of-thrones entertainment extortion content-theft series
Breach #104

1.5 terabytes stolen. Game of Thrones scripts leaked. $6 million demanded.

In late July 2017, HBO confirmed that hackers had breached its systems and stolen approximately 1.5 terabytes of data — including unaired episodes of Ballers and Room 104, a script for the upcoming Game of Thrones episode 'Spoils of War', internal corporate documents, and employee personal information. The hackers, who contacted HBO directly, demanded $6 million in Bitcoin to prevent the release of the stolen material.

HBO refused to pay the ransom. The attackers subsequently published multiple tranches of stolen data, including further scripts, internal emails, financial documents, and personal information of HBO employees. An Iranian national, Behzad Mesri, was later indicted by US prosecutors for the attack. The HBO breach — while smaller in scale than the Sony Pictures attack of 2014 — demonstrated that the entertainment industry's most valuable asset (unreleased content) creates unique extortion leverage, and that the 'hack and leak' model established by the DNC hack had expanded into commercial extortion.

Content as Leverage
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Unreleased content creates unique extortion pressure.

Content Theft = Revenue Loss
Game of Thrones was HBO's most valuable property — leaking episodes or scripts before air reduced viewership, advertising value, and cultural impact. For media and entertainment companies, unreleased content is both an asset and a vulnerability. <a href="https://www.socinabox.co.uk/blog/data-loss-prevention-small-business">Data loss prevention</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects bulk data exfiltration before content reaches the attackers.
Ransom Refusal
HBO's refusal to pay the $6 million ransom was the recommended approach — paying encourages further attacks and provides no guarantee of data deletion. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response and negotiation guidance during extortion events.
Internal Emails Published — Again
As with <a href="/blog/anatomy-of-a-breach-sony-pictures">Sony Pictures</a> and the <a href="/blog/anatomy-of-a-breach-dnc-hack">DNC</a>, stolen internal emails were published for maximum embarrassment. The pattern is now well-established: any organisation that is breached should assume its internal communications will be weaponised. <a href="/penetration-testing/infrastructure">Network segmentation</a> and <a href="https://www.socinabox.co.uk">monitoring</a> limit what attackers can access.
Protection of High-Value Assets
Organisations with high-value digital assets — entertainment content, R&D data, legal documents, financial models — must apply proportionate security controls. Our <a href="/penetration-testing">penetration testing</a> includes assessment of access controls around high-value data stores. <a href="/cyber-essentials">Cyber Essentials</a> establishes baseline protection.
Lessons

High-value content demands high-value protection.

The HBO breach proved that entertainment content, intellectual property, and any data whose premature disclosure causes measurable harm creates extortion leverage for attackers. For UK media companies, law firms, financial institutions, and any organisation holding pre-release or confidential content, the defence is layered: segmentation to limit what attackers can reach, DLP to detect exfiltration, Cyber Essentials for baseline controls, and incident response capability for when extortion demands arrive.

Content Protection

HBO lost 1.5 terabytes of content to extortionists. What would your stolen data be worth?

<a href="/penetration-testing">Penetration testing</a> assesses access to high-value data. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects exfiltration. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> manages extortion incidents.

Commission a Security Assessment Next: Equifax
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 August 2015

Anatomy of a Breach: Ashley Madison — 32 Million Secrets Exposed, Data as a Weapon of Shame

Breach #080. In August 2015, a group calling itself 'The Impact Team' published the personal data of approximately 32 million users of Ashley Madison — a dating website marketed for extramarital affairs — after the site's parent company, Avid Life Media, refused to shut it down. The leaked data included names, email addresses, payment card details, sexual preferences, and physical addresses. The breach led to divorces, job losses, extortion campaigns, and at least two confirmed suicides. Ashley Madison proved that data breaches can destroy lives — not just balance sheets.

data-breach ashley-madison
13 min read
Anatomy of a Breach 30 November 2014

Anatomy of a Breach: Sony Pictures — North Korea's Destructive Attack on Hollywood

Breach #071. On 24 November 2014, a group calling itself 'Guardians of Peace' — later attributed to North Korea's Reconnaissance General Bureau — launched a devastating cyberattack against Sony Pictures Entertainment. The attackers wiped hard drives across the corporate network, leaked five unreleased films, published tens of thousands of confidential emails, exposed employee SSNs and salary data, and threatened terrorist attacks against cinemas screening 'The Interview' — a comedy about the assassination of Kim Jong-un. It was the most destructive nation-state attack against a Western corporation, combining data theft, destruction, extortion, and intimidation.

data-breach sony-pictures
14 min read
Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
All Posts Get in Touch