3 min read

HBO offered its hackers $250,000 after attack, leaked email claims


August 14, 2017

Promo Protect all your devices, without slowing them down.
Free 30-day trial
HBO offered its hackers $250,000 after attack, leaked email claims

The fallout from the HBO hack, which has already seen episodes of “Games of Thrones” scripts and episodes leaked online, the distribution of stars’ email addresses and personal phone numbers, and million-dollar demands for an alleged haul of 1.5 terabytes of TV shows and corporate information, continues to get worse.

This weekend saw the hackers leaking unaired episodes of other HBO series, including “Insecure”, “Ballers” and “Curb Your Enthusiasm”.

None of those shows are likely to make as much of a kerfuffle online as “Game of Thrones”, but what is making headlines is what purports to be a leaked email from an HBO employee to the hackers, proposing a $250,000 “bug bounty” reward for uncovering security vulnerabilities on its network.

Part of the email reads as follows:

“As you may know, we have a bug bounty program to reward “white hat” IT professionals who bring these types of things to our attention. We also have been working very hard since Sunday evening to review all of the material that you have made available to us. We simply have not been able to do so. We also have not been able to put into place the necessary infrastructure to be able to make a large payment in bitcoin, although we are taking steps to do so as you suggested.

“You have the advantage of having surprised us. In the spirit of professional cooperation, we are asking you to extend your deadline for one week. As a show of good faith on our side, we are willing to commit to making a bug bounty payment of $250,000 to you as soon as we can establish the necessary account and acquire Bitcoin, or we can wire the funds as soon as you give us the account information.”

If the email is genuine, it appears that HBO was prepared to negotiate with its blackmailers, as it played for more time. However, even when dressed up as a “bug bounty” payment it’s clear that the sums involved are much lower than the over six million dollars worth of Bitcoin being demanded by the extortionists.

The leak of the email runs at odds with HBO’s official position, which is that it is “not in communication with the hacker”, and unwilling to continue to comment every time more information leaks onto the internet.

“The hacker may continue to drop bits and pieces of stolen information in an attempt to generate media attention. That’s a game we’re not going to participate in.”, an HBO spokesperson is reported as saying. “Obviously, no company wants their proprietary information stolen and released on the internet. Transparency with our employees, partners and the creative talent that works with us has been our focus throughout this incident and will remain our focus as we move forward. This incident has not deterred us from ensuring HBO continues to do what we do best.”

For now it seems that the hackers have plenty more data to leak online, and there’s no sign that they will be stopping from their regular weekend dumping anytime soon. Of course, the more the hackers leak the less likely it becomes that HBO will accede to their demands for the simple reason that they will have less and less to lose.

My view is that giving in to corporate extortionists is fraught with problems – not least that there is no guarantee that you will not be blackmailed for even more money in future, or encouraging other to attempt similar crimes against a company which has already proven itself willing to play the criminals’ game.

Of course, realising that your company is being blackmailed is a ghastly situation to find yourself in. Let’s hope that other organisations spend a little time imagining how they would react if they were in HBO’s shoes, and took the right steps now to harden their security, and reduce the chances that their network will be the next one to be targeted by criminal extortionists.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like