The Great Cinema Heist (and other security issues)

It’s easy to read headlines on cyber-security breaches and feel smug. It could never happen in your organisation… but as Patrick von Sychowski explains, our sector is susceptible. Take care, take action.

 

Over-sophisticated cons netting millions are the stuff of blockbusters, but last year Pathé Netherlands Cinemas itself became the victim of a €19m scam that additionally cost several senior executives their jobs. It also highlighted the number of risks and security threats that cinemas now face as they become increasingly connected, data-driven and increasingly reliant on online transactions. Understandably, few major companies want to discuss openly their security breaches or threats, which can range from a terrorist strike, cyber attack, e-ransom or so-called pwning, i.e. virtual pranks or vandalism. Cinemas are no different in this regard and, given that they carry out high volumes of electronic payment transactions while having to maintain large databases of customers and members, they are a particularly attractive target. A DCP may be hack-proof (if such a thing is ever truly possible), but the cinemas in which they play and the people operating them are not.  In early 2018, Pathé Netherlands was robbed of more than €19m on the back of nothing more than a few emails and a bit of inside knowledge. Far from being out of the ordinary, the only really unusual thing about this was that the scam became public knowledge and that two senior Dutch executives lost their jobs. 

Known as business email compromise (BEC) fraud, CEO impersonation fraud or spearfishing (as opposed to random so-called “Nigerian prince” email scams), this type of crime has seen French businesses (Pathé NL is itself owned by Pathé France) suffer an estimated loss of €465m since 2010, according to official figures.  The details of the case illustrate the scammers credibility: Pathé NL’s head Dertje Meijer received an email in March last year purporting to be from the head of Pathé France. The email sender claimed to be in very secret negotiations to buy a cinema chain in the Gulf. Over several emails, Pathé NL was asked to transfer larger and larger sums of money, but to keep the deal secret — supposedly through a KPMG employee in Canada. While both Meijer and the CTO Slutter found this unusual, they complied and red flags also did not go off in Pathé’s head office in Paris. 

Both Meijer and Slutter were suspended from their jobs after the con was discovered, with Pathé France saying it had “lost faith” in them, despite the fact that they had not profited from, nor initiated the con. Both took Pathé to court over their dismissal and at the time of writing Slutter had been partially vindicated, while Meijer’s case was still being reviewed. It is only because of these court cases that details of the scam became public knowledge. But it should serve as a warning to the industry that even smart senior industry veterans can fall victim to these type of scams. The message is clear — be on your guard.

How to hack a company: hack the staff

Contrary to popular culture, the typical cyber-attack doesn’t see a nefarious geek sat at a PC with flashing graphics touch-typing frantically against the clock in an attempt to penetrate a company’s firewall. It is easier to use what’s called ‘social engineering’, i.e. hack the people. At a basic level this involves sending an email with an attachment or a link that will allow unauthorised access to the recipient’s computer or network. Sensible companies have scanners that block suspicious attachments and ban the use of personal accounts. Even Google now flags suspicious email.

To get around this, attackers try to circumvent it via the phone or physically. Many people reading this in the UK will have received a phone call from someone claiming to work for their bank or ‘BT Openreach’, saying there is a problem with their account/broadband and ask them to log in and confirm their details and carry out a transaction. Security experts recommend hanging up and calling your bank/broadband provider yourself on their verified number. Scammers try to stop this by injecting urgency into their communication: “money is about to be stolen from your account”, or “your broadband is about to be cut off.”

An even more clever way is to scatter a bund of USB memory sticks in the employee car park. These will typically only have one file on them, called something tantalising like “Employee Salary Spreadsheet”. Curiosity gets the better of whoever finds it, they plug it in and will try to open it, not realising that it might be an .exe file. The malware is now inside the company network. Not as glamorous as George Clooney in a tuxedo, but more efficient.

Future Risks

While there is no 100% fool-proof method to prevent cyber attacks, most companies can take additional steps to improve security. Bea Alonso, business development director for media logistics in the APAC region at the OTT media platform Ooyala recommends the following steps:

 Ensuring all network connections are secure;

 Initiating two-factor authentication;

 Performing regular network penetration testing;

 Consider digital rights management;

 Fostering discussions internally to ensure best practices.

Implement those measures and you may go some way towards protecting yourself — but it’s not foolproof. At the foot of the page are listed a handful of known industry-related attacks that took place before 2018, but we are likely to hear about even more such attacks in the future, due to a much discussed but little understood four-letter acronym… GDPR. 

GDPR? What’s that then…?

While major companies have in the past tried to cover up attacks where possible, that changed on 25 May 2018 when the General Data Protection Regulation (GDPR) came into force. While initiated by the European Union, it is not only applicable to EU countries, companies and databases, but to anyone whose database collects information about users and citizens in and from the EU. This is why post-Brexit Britain isn’t exempt and why some US online newspapers still geo-block access to their sites for readers from the EU.

While GDPR was a large enough topic for its own article (Cinema Technology, March 2018), it means that all companies and institutions have to ensure data protection for the information they store about individuals and face large fines and compulsory disclosure if they have failed to prevent data theft. In theory this even extends to losing or leaving paper files with sensitive personal information lying around, but in most cases this will be in relation to a loss relating to a data or network breach. 

Cinemas and others also have to comply with how they gather, store and use customer data, by ensuring greater transparency about what information is used for targeted marketing. Writing about GDPR for Movio’s blog in 2018, Sarah Lewthwaite noted that, “For those of us for whom customer data is a key element of our marketing strategy, this transparency should not be seen as a threat, but as an opportunity. It is an opportunity for us to build trust with customers and to strengthen our relationships with them.”

Call IT by all means, but call HR too

Increasing sophistication of machine learning (‘artificial intelligence’ in common parlace) means that cyber criminals have access to more and more advanced tools with which to target and penetrate even the most stringent defences that cinemas can mount. Often the weakest link in that chain of defence is a member of staff, meaning that while the IT department can do a lot to keep you safe, they will increasingly have to work with the HR team to ensure the only place crime ever pays is in heist movies on screen.

 

Couldn’t happen to us…

In November last year an email went out to the industry from a well-known equipment manufacturer. It read: “We regret to inform you that over the weekend, a Malware infected several key [COMPANY] servers. [COMPANY’s] global IT infrastructure was shut down as soon as we became aware of the issue, and will remain shut down until further notice. We have engaged external consultants with expertise in Malware on a 24/7 basis to assist us, however we anticipate this will take several days to resolve.”

 

In the end the malware attack took down the company’s servers for over a week. Staff had to reconstruct mailing lists and use personal emails to conduct day-to-day work. What matters less is which company it was, but that almost any company in the cinema industry, large or small, is vulnerable to this type of attack.

 

A malware attack may not necessarily be a breach so much as someone attaching a corrupted flash drive to the network or visiting a corrupted website (see “How to hack a company”, opposite).

 

One observer familiar with the situation (who declined to be named) commented that, “Doing a full scan to make certain the malware isn’t picked up across the network could take a while depending on the size of the infrastructure. Given how interconnected that network might be to outside facilities, I could see why they would want to remove the threat of it spreading externally.”

 

So the company in question was not just trying to save its own network and database, but rightly seeking to save others from being inadvertent victims. Famously hard to detect viruses, malware and trojans, such as Stuxnet, are designed to infiltrate, self-propagate and cause damage, all the while being undetected. Cyber attackers typically go for the weakest link in any defence, which increases the chances of a breach the bigger and more complex a system is.