Netflix Hack: Key Lessons In The Economics Of Ransomware And Managing Third-Party Risk

Renee Murphy

Netflix recently experienced a third-party breach. The data lost is Season 5 of Orange is the New Black, which is original Netflix content. Many are calling it the largest entertainment industry hack since Sony. I guess that is right, but how bad is it really?

First, here is what happened. Netflix transferred season five to their post-production third party in Los Angeles, Larson Studios, for sound mixing and editing. Larson does the post work for at least 25 episodics that run on Fox, ABC, IFC and Netflix. It was Larson Studios that was hacked and, according to thedarkoverlord (TDO), they made off with not just Netflix content but network content as well, putting at risk the release of Documentary Now, Portlandia, Fargo and many others.  TDO contacted Netflix and asked for a bitcoin ransom or it would dump their content for download. Netflix refused to be extorted and TDO made good on its threat.

That got me thinking…was Netflix right to not pay the ransom? What was the real impact of that decision? Can networks and studios do the same thing? Are they inoculated from third party damage because of their industry or their product? Let’s find out.

1.     Was Netflix right to not pay the ransom? Yes. If I have learned anything from the state department it’s that we don't negotiate with terrorists. For Netflix, there is no reason to overreact or go to great lengths to explain the impacts. If you do an impact analysis, you see that it has a medium reputational risk, a low financial risk and no regulatory risk. With that kind of risk analysis, you don’t pay a ransom.

Read more