HBO Hacker Leaks Message From HBO Offering $250,000 'Bounty Payment'

The HBO hacker has struck yet again. From a report: Variety has obtained a copy of another message released Thursday by the anonymous hacker to select journalists in which HBO is apparently responding to the initial video letter that was sent informing the Time Warner-owned company of the massive data breach. The message from HBO, dated July 27, features the network's offer to make a "bounty payment" of $250,000 as part of a program in which "white hat IT professionals" are rewarded for "bringing these types of things to our attention." While the message takes a curiously non-confrontational tone in response to a hacker out to damage HBO, a source close to the investigation who confirmed the veracity of the email explained it was worded that way to stall for time while the company attempted to assess the serious situation.

Lesson for HBO: Pay for good IT people

[ErichTheRed]

I've been working in IT for over 20 years, and the thing I've seen over and over again is that organizations that cheap out on IT get stung by things like these more frequently. I've been through multi-hour company-wide outages because someone said there was no reason to keep a core application in more than one data center. We constantly see companies where "IT is not our core competency" getting breached when their lowest-bidder contractors leave an open hole exposed, or when the entire company is run on a massive tower of outsourcers that don't communicate with each other. If I remember correctly, that's how the Target breach happened...a contractor running the HVAC for the stores had a security hole in the systems connected to the store networks, which attackers were able to use to get to the registers and credit card terminals.

You will never convince companies to do this, but in my opinion the only way to prevent breaches from happening or to minimize their damage is to pay in-house IT staff who *actually* understand what's being deployed. Staff who are paid well and not worked to death are going to be a lot more interested in keeping your business alive than some disinterested offshore firm or body shop who cares only about fulfilling the minimum terms in the contract. (The other thing that has to happen is that everything has to be secure by default, but almost nowhere I've worked has been able to wrap their heads around this. Too many places assume that there's an "outside" and an "inside" and spend all their effort defending the perimeter.)

What's interesting is that $250K is pretty low for a first offer. I haven't looked through the archive of data these hackers claim to have, but summaries say they were able to get access to sensitive corporate data as well as unreleased content. Some group of people at HBO must be going through all the access logs and figuring out what kind of damaging information they may have exposed. Given that they're an entertainment company, just a dump of the company's email should reveal some very interesting exchanges with various high-profile individuals. Worth way more than a quarter million in my opinion....