Earlier this month, HBO disclosed that it is the latest victim of cyber breach extortion, which involves criminals hacking into a company’s computer system, extracting sensitive information (e.g., emails of executives) or valuable intellectual property (e.g., unreleased television scripts or episodes), and then threatening to make the information public if a ransom is not paid, usually in Bitcoin.  In the HBO case, the hackers claim that this is their 17th target and that all but three of their victims have paid the ransom. As cyber breach extortions become more frequent, there are several things your company may consider doing to prepare for such an event.

  • Enhancing cyber defenses, which may include:
    • Penetration testing and vulnerability assessments by a third party vendor
    • Ensuring that all software and patches are up to date
    • Training employees on cybersecurity and how to spot email phishing and spoofing threats
    • Providing extra controls over your company’s most sensitive materials, including strict access controls and monitoring unusual activity
  • Ensuring that your company’s incident response plan includes preparations for cyber breach extortion, including:
    • Identifying an individual contact in law enforcement
    • Having a plan for obtaining Bitcoins, if necessary
    • Using the Digital Millennium Copyright Act to have websites and search engines take down links to the stolen data
  • Assessing whether, and under what circumstances, your company’s cyber insurance would cover ransom payments
  • Conducting a tabletop exercise involving cyber extortion
  • Identifying outside consultants (e.g., a cybersecurity firm, a law firm, a public relations firm, etc.) that can quickly provide advice on cyber extortion issues such as:
    • Whether there are any disclosure obligations or legal risks associated with paying (or not paying) the ransom
    • How to determine who the hackers are, whether they have the only copies of the sensitive materials, and how likely they are to honor their promises not to release the data if the ransom is paid
    • Whether the hack, and the threat to make the stolen data public, constitute crimes that are likely to get attention from law enforcement

The HBO hack should serve as a warning that winter may be coming for some companies in the form of cyber extortion, and it is probably prudent to make some preparations.