HBO Offers Hackers $250,000 'bug bounty'

HBO reportedly offered $250,000 (£193,000) to the group that hacked its servers under the guise of a “bug bounty”, according to a screenshot of the conversation released by the attackers.

A senior vice president of the company made the offer on 27 July, phrasing the payment as a reward for discovering weaknesses in HBO’s network rather than acceding to ransom demands.

There is no way to verify the authenticity of the email, or whether it has been altered, but it was shared with some outlets through the same email address that the attackers had previously used to leak stolen data.

In the message, the executive says HBO has “been working hard since Sunday evening [23 July] to review all of the material that you have made available to us. We simply have not yet been able to do so”.

The executive continues: “You have the advantage of having surprised us. In the spirit of professional cooperation, we are asking you to extend your deadline for one week.

“As a show of good faith on our side, we are willing to commit to making a bug bounty payment of $250,000 to you as soon as we can establish the necessary account and acquire bitcoin.”

The offer may have been an attempt to stall for time, rather than a genuine proposal of payment. HBO explained about the hack four days after the bug bounty payment was offered, telling the public that it had experienced a “cyber-incident, which resulted in the compromise of proprietary information”.

A script for Game of Thrones, and two unreleased episodes of dramas Ballers and Room 104, were put online the same day. A week after the payment offer, on 3 August, the attackers sent out more evidence of hacked materials, and claimed to have access to the company’s entire webmail system, a claim denied by HBO.

The hackers later released the personal details of some Game of Thrones actors, including email addresses and phone numbers, plus some HBO emails and confidential files, along with a renewed demand for a multimillion dollar ransom.

Bug bounty payments are a common occurrence in cybersecurity, designed to encourage third-parties to discover and report weaknesses found in security systems so they can be fixed, rather than sell the information to would-be attackers.

But it is uncommon for them to be paid following the active exploitation of a bug to steal substantial quantities of data, and extremely uncommon for them to be paid to attackers who deliver payment demands in the form of a video of scrolling text set to dramatic music, asking for a payment of “six months’ salary”, or $6m, as the HBO attackers did.

At least one Hollywood hack victim has paid the ransom demanded by attackers, according to the Hollywood Reporter. But most victims refuse to talk about the ransom requests, fearing that admission they paid will make them a target for future attacks.

Guardian:

You Might Also Read:

Hackers Steal Game of Thrones Script:

Hacker Holds Netflix To Ransom:

 

« Chinese Satellite Sends Hack-Proof Messages
Cyber Security Risks Of Cloud Computing »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

RioRey

RioRey

The DDoS mitigation specialist, from single server to Enterprise wide carrier level networks the RioRey Solution provides effective immediate and easy to manage protection.

Sintef Digital

Sintef Digital

Sintef Digital carries out research in Information and Communication Technology for industry and the public sector.

Massive Alliance

Massive Alliance

Massive is a global service agency providing internet monitoring, data & security threat surveillance and reputation management.

CyberArrow

CyberArrow

CyberArrow (formerly EBDAA) is a consultancy company providing high quality consultancy services in Risk & Compliance and Awareness & Education.

sayTEC

sayTEC

sayTEC's mission is to develop and deliver next-generation products and services in encrypted data and voice transmission.

Council for Information & Communication Technologies (CTIC)

Council for Information & Communication Technologies (CTIC)

CTIC was set up to address specific issues in the field of ICT relevant to the implementation of electronic government.

Vesta

Vesta

Vesta Corporation is a global provider of a scalable suite of fraud and payment solutions for online commerce.

ZeroNorth

ZeroNorth

ZeroNorth provides a new approach to improve software and infrastructure security, simplify continuous compliance reporting and to create more cost-effective risk management programs.

MSPAlliance

MSPAlliance

MSPAlliance is the world’s largest industry association and certification body for cloud computing and managed service professionals.

Infinite Ranges

Infinite Ranges

Infinite Ranges delivers secure, comprehensive digital solutions by connecting experts with the best products and services for the digital age.

TopSOC Information Security

TopSOC Information Security

TopSOC Information Security provide a wide range of security consultation, implementation and training services.

Aegis Security

Aegis Security

Aegis Security helps clients to secure their systems against potential threats through pre-emptive measures, such as security assessments, and cutting-edge solutions to security challenges.

Charles IT

Charles IT

Charles IT is your friendly, no-nonsense IT team focused on helping companies make their technology work for them. We focus on building relationships that deliver results.

AdronH

AdronH

AdronH is a company of Cyber Security consultants. We support companies and public institutions with their digital transformation to new and secure business platforms.

CyberSecureRIA

CyberSecureRIA

We founded CyberSecureRIA specifically to secure and support RIAs. We exist to secure SEC-registered RIAs, and keep them compliant with cybersecurity regulations.

AirMDR

AirMDR

Designed by experts, AirMDR solutions cater to the unique demands of security operations centers.