Hackers are threatening to release a treasure trove of private data stolen from one of Hollywood’s top talent law firms if it doesn’t pay a $42 million ransom — and experts say companies are increasingly vulnerable to attacks like this because their employees are working remotely during the novel coronavirus pandemic.
Grubman Shire Meiselas & Sacks earlier this month was hit by a ransomware attack — with a group called REvil taking responsibility for the hack and posting online part of a Live Nation employment contract for Madonna’s recent world tour as proof that they stole 756 gigabytes of data. On Thursday, the group released documents pertaining to Lady Gaga in retaliation for the firm’s refusal to pay the initial $21 million ransom. It says from now on it will auction off one person’s file each week, beginning with Madonna’s on May 25. (The group is also threatening to release harmful information related to President Donald Trump, but he’s never been a client of Grubman Shire.)
The firm, which also reps the likes of Bruce Springsteen, Usher and Priyanka Chopra Jonas, said in a Monday statement to The Hollywood Reporter that it’s working closely with law enforcement and its clients have been overwhelmingly supportive.
“The leaking of our clients’ documents is a despicable and illegal attack by these foreign cyberterrorists who make their living attempting to extort high-profile U.S. companies, government entities, entertainers, politicians and others,” a spokesman for the firm said. “We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law. Even when enormous ransoms have been paid, the criminals often leak the documents anyway.”
Since the novel coronavirus pandemic began shutting down physical offices across the country in mid-March, countless employees have been working from home. The mix of societal distraction, stress and blurred lines between personal and company equipment is a recipe for cybersecurity disaster.
“Ransomware is often spread through phishing emails, macros embedded in attachments or by visiting ‘infected’ websites,” says one data privacy and security expert for a multinational law firm. “Employees may be on heightened alert for suspicious emails or be blocked from certain websites when they are in their office, but they may have their guard down or may not be limited by the in-office security controls when they are working from home or on their own devices.”
Robert Kang, an adjunct professor of cyber-risk management at Loyola Law School, expects that demand for cyber professionals will skyrocket with many companies turning to in-house cyber lawyers, something he says is long overdue. “Malicious actors are exploiting the confusion caused by the pandemic to engage in cybercrime,” says Kang. “The increased volume of remote workers is stress-testing many companies’ cyber defenses like never before.”
He likened an in-office operation with solid cybersecurity to a castle surrounded by impenetrable walls. “Each remote worker is like building an outpost away from the castle — but with a tunnel to it,” says Kang. “In other words, increasing the number of remote workers increases the number of targets that a malicious actor can attack. That’s why guarding each outpost is so crucial.”
A simple, common error could cause big cracks in a company’s armor: delaying the installation of operating system updates. “They could have critical security updates they’ve never done that allows a hacker to come in,” says Hemanshu Nigam, a former chief security officer of News Corp. who advises Hollywood talent, professional athletes and companies on cybersecurity. “Once a hacker is in your laptop they follow you right into the company even if you’re using a secure VPN.”
Nigam says hackers are aware there’s a high demand for information on the spread of coronavirus and they’re customizing their phishing emails to focus on that content. “There’s an obsession with getting constantly updated on the pandemic,” he says. “It’s always in the back of all of our minds even if we’re focused on our work.”
He recommends hiring white-hat hackers to do penetration testing and find areas of vulnerability within the company. “We’re actually doing this for a major white-label company right now, asking their employees to click on links related to COVID-19,” he says. “Then we’re going to train employees on all the clues we buried into the phishing email that people should have noticed and known it was fake.”
Hackers are looking for “efficiency, speed and easy access,” says Nigam, who also worked as a federal prosecutor specializing in computer crimes. “It’s no different from guys who break into cars. They’ll walk from car to car, lifting door handles.”
While Kang says the “best line of defense is hiring a dedicated security team,” he and the other experts agree there are a few key steps companies can take to avoid becoming an easy target: require employees to install updates or remove their administrative access and do it for them; use a virtual private network (VPN); train employees on phishing emails; make sure everyone is using a secure Wi-Fi connection with a strong password; use a content management system that allows extra layers of security for sensitive documents; make sure essential documents are backed up so they can be more easily restored if the company is hacked; and require two-factor authentication to access company systems whenever possible.
The last one, two-factor authentication, requires having not only a password but also physical access to a device that receives a one-time-use code. “A hacker isn’t going to be holding your phone,” says Nigam. “It may take an extra 10 to 15 seconds, but that 10 to 15 seconds can save the company millions of dollars in costs of recovery and reputational damage.”
For individuals who may be impacted by a hack during the crisis, they advise taking steps to monitor and freeze credit and signing up for a service like LifeLock that scans the dark web for your information proactively. Especially in Hollywood, it’s important to remember the rich and famous are extremely valuable marks.
“If you are in that category, you should be ultra-aware you’re a target,” says Nigam. “When hackers see news that one major talent law firm got hacked, you get a lot of copycat hackers waking up and saying, ‘Let’s try that.’ It proves to the hacking community that there’s gold at the end of that attack.”
Here’s the full statement from Grubman Shire’s spokesperson:
“Our elections, our government and our personal information are under escalating attacks by foreign cybercriminals. Law firms are not immune from this malicious activity. Despite our substantial investment in state-of-the-art technology security, foreign cyberterrorists have hacked into our network and are demanding $42 million as ransom. We are working directly with federal law enforcement and continue to work around the clock with the world’s leading experts to address this situation.
The leaking of our clients’ documents is a despicable and illegal attack by these foreign cyberterrorists who make their living attempting to extort high-profile U.S. companies, government entities, entertainers, politicians, and others. Previously, the United States Department of Defense, HBO, Goldman Sachs, as well as numerous state and local governments been victims of similar cybercriminal attacks.
We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law. Even when enormous ransoms have been paid, the criminals often leak the documents anyway.
We are grateful to our clients for their overwhelming support and for recognizing that nobody is safe from cyberterrorism today. We continue to represent our clients with the utmost professionalism worthy of their elite stature, exercising the quality, integrity and excellence that have made us the number-one entertainment and media law firm in the world.”
This article was originally published by The Hollywood Reporter.