Data Breaches in the Entertainment and Media Industry: What You Need to Know

From the damage caused by lockdowns to the erosion of consumer spending power amid spiraling inflation, the entertainment and media industry has faced considerable headwinds in recent years. Having weathered the storm, industry revenues rose 5% in 2023 to hit $2.8 trillion and could pass $3 trillion by 2028. However, when it comes to protecting the data that underpins it from breaches by hackers, resilience is often lacking, exposing organizations to disruption, reputational damage, and financial penalties.

These data breaches could be compared to life-imitating art due to their resemblance to blockbuster movies about the murky world of hacking. It’s up to organizations in this space to consign successful cyber-attacks to the big screen by recognizing the importance of data to the industry and taking proactive measures to safeguard it.

Data breaches in Entertainment and Media

Personal data: a core asset of the industry

From unlocking access to online services to providing deep insights into audience preferences, data is a core asset of the entertainment and media industry.

Powering the shift online

The entertainment and media industry has undergone a digital transformation amid a shift online that was proliferated by pandemic-induced lockdowns. This is underscored by the rapid rise of streaming services, which have transformed how content is produced, distributed, and consumed. 

These services allow consumers to view a vast array of content from the comfort of their homes or on the move via smart devices. To access this convenience, they must set up accounts and enter sensitive personal data on streaming sites, including credit card details and emails. 

It’s a similar story in the online gaming sphere, which has gained attention for the scale of its global revenue. In 2022, the global gaming industry generated an estimated $184.4 billion, compared to the global recorded music and movie industries, which generated around $26 billion each, respectively—an eyewatering amount that depends on consumers providing personal data online to sign up for and purchase gaming services. 

Leveraging user data to provide a better service

Content is the lifeblood of the entertainment and media industry. Creating engaging material requires access to consumer data that enables companies to understand and cater to audience preferences, optimize content strategies, and drive personalized experiences. Nowhere is this more prevalent than in the streaming world, where popular platforms like Netflix and Spotify harness user data to provide them with a better service and improve marketing.

This process involves different layers of data collection that include third parties:

• The platform collects first-party data directly from its users, including names, email addresses, account details, and subscription plans. 

• Second-party user data, such as demographic and geographic data, is collected and exchanged by partners. 

• Third-party data, including behavioral data, is gathered by specific data providers, for example, for marketing purposes.

Data breaches 

The entertainment and media industry’s ever-increasing dependence on the internet is expanding its attack surface exponentially, making it an attractive target for cybercriminals. In their sights is the ocean of personal data that’s exposed by weak cybersecurity controls – an all-too-common scenario that has led to several notable data breaches.

Disney

A massive data breach at entertainment behemoth Disney in July 2024 occurred when hackers gained access to public and private Slack channels within the company – exposing over 4 million Slack messages, 18,800 spreadsheets, and 13,000 PDFs – and leaked compromised data. In addition to financial company data that could be used to hold it to ransom, the leak contained personally identifiable information of Disney employees and customers – including passport numbers, visa details, and contact information.  

Nintendo

In April 2020, Nintendo was the target of a data breach in which 300,000 customer accounts were compromised. The data exposed in the breach included credit card information, email addresses, geographic locations, names, and Nintendo Network ID usernames.

Hackers targeted the Nintendo Network ID (NNID) system, which lacked two-factor authentication, using methods like phishing. Having gained unauthorized access to personal information and saved payment details, some users experienced fraudulent transactions on their accounts. 

CAM4

In March 2020, the Cam4 data breach was reported as the largest data leakage in history. Over 10 billion data records were exposed by the adult streaming site due to a misconfigured Elasticsearch database – an internal search engine used by employees to scan user and activity logs. This left data vulnerable to anyone with an IP address, including first and last names, payment logs, email addresses, and password hashes.

Intellectual property: holding the industry to ransom

The entertainment and media industry is powered by creativity. From scripts to the screen, this takes the form of intellectual property (IP) – the ownership of any creation of the mind or ideas or designs by a person, including screenplays, scripts, films, songs, compositions, sound recordings, TV shows, video games, and animations.

In the wrong hands, IP can be leveraged for financial gain by demanding a ransom from the owner to prevent it from being released or sold. Sometimes it’s all bravado due to the high profile of the hacked data. Before they can make their fraudulent demands or claim bragging rights in hacking circles, cybercriminals must compromise the data – something they’ve become adept at, as demonstrated by the Rockstar Games hack in 2022.

Rockstar Games

In September 2022, a hacker harnessed social engineering techniques to compromise an employee's login credentials at Rockstar Games. They used this information to breach the Rockstar Games network and access the source code for Grand Theft Auto 5 and the in-development version of Grand Theft Auto 6. The hacker then posted on GTAForums claiming they wanted to “negotiate a deal” with Rockstar Games for the return of the unreleased data.

Impact of data breaches on the industry

The entertainment and media industry’s reliance on digital platforms, IP, and consumer trust means data breaches can significantly impact organizations – operationally, financially, and reputationally.

• Operational disruption

Data breaches resulting in ransom demands for compromised IP can cripple production schedules, disrupt broadcasting, or delay releases. Moreover, third-party risk can indirectly disrupt operations if sensitive data held by a vendor or partner is compromised.

• Financial loss

Data breaches can cause significant financial losses resulting from ransom payments linked to leaked IP, legal and regulatory penalties under laws like the GDPR, the cost of remediation, and lost revenue due to the disruption of business operations.

• Reputational damage

Consumers may hesitate to engage with a streaming platform or purchase content from a company that has failed to safeguard their personal data. High-profile breaches can tarnish a company's reputation, eroding audience loyalty and damaging brand image.

Preventing data breaches

To shield themselves from data breaches, organizations in the entertainment and media industry must adopt a multi-faceted approach to cybersecurity that combines three key strategies: robust access controls, employee training, and adherence to best practices. 

Access controls

Robust access controls protect sensitive data by regulating who can access it – and in what circumstance. Common controls include: 

• MFA

Multi-factor authentication (MFA) offers an extra layer of security when accessing systems and applications. In addition to providing their password, users must enter additional information, such as a code sent to their phone or a biometric scan, to log into an account.

• Data encryption

Data encryption builds trust with users by demonstrating a commitment to maintaining the confidentiality and integrity of submitted data. It harnesses robust encryption algorithms, public and private keys, and a trusted certificate infrastructure. 

Employee training

Employees should be empowered to recognize and respond to potential cybersecurity threats resulting from data breaches. This requires training on identifying phishing emails, promptly reporting suspicious activity or potential vulnerabilities, and responding in the event of a cyber-attack.

Adherence to best practices

Data handling policies, procedures, and tools provide the structure needed to adhere to best practices. They must be transparent and implemented throughout the organization to ensure everyone understands the correct data management practices – from collection, use, and processing to transfer, disposal, and sharing.

Data Instilling resilience in the industry

From financial gain to malice and bravado, the motivation to compromise data created and held by the entertainment and media industry is multi-faceted amid its ever-widening attack surface and high profile. Whether targeting personal user data to commit fraudulent activities or highly valued IP to demonstrate their hacking prowess, the industry offers rich pickings for cybercriminals.

This perfect storm of motivation and opportunity for these bad actors to compromise industry data amplifies the need for robust access controls, focused employee training, and adherence to best practices. By adopting a comprehensive approach to cybersecurity, organizations within the industry can instill the resilience needed to safeguard the data that underpins it.