search menu icon-carat-right cmu-wordmark

Insider Threats in Entertainment (Part 8 of 9: Insider Threats Across Industry Sectors)

Mark Dandrea
• Insider Threat Blog
Mark Dandrea

This post was co-authored by Carrie Gardner.

The Entertainment Industry is the next spotlight blog in the Industry Sector series. Movie and television producers have long entertained the public with insider threat dramas such as Jurassic Park, Office Space, or the more recent Mr. Robot. These dramas showcase the magnitude of damage that can occur from incidents involving our assumed good, trusted employees. Yet as we discuss in this post, movie producers and the entertainment industry are not immune from experiencing such incidents.

According to a SelectUSA article, the Entertainment industry is expected to be valued at $830 billion by 2022. This sector poses a prized target for malicious actors. From areas such as music, film, video gaming, theater, and hospitality, there are multiple sub-sectors within the industry that require unique and individual attention for identifying insider threats and preventing insider incidents.

Of the 26 Entertainment malicious insider threat incidents in our case corpus, we identified 26 related victim organizations. Within the 26 Entertainment organizations, we identified 18 organizations classified as "Hotels, Amusement, Gambling, and Restaurants," and the remaining 8 are classified as "Content Publishers," such as media producers for TV and web services. Perhaps surprisingly, two of the subsectors under Entertainment did not have any recorded insider incidents: "Performing Arts and Spectator Sports" and "Art, Museums, and Historical Sites."

Bar chart of Entertainment Organizations Impacted by Insider Threat Incidents, 1996 to present. Hotels, Gambling, etc. organizations had 18 incidents. Content Publisher organizations had 8 incidents.

In addition to the 26 incidents where the organizations directly employed the insider, we identified 11 organizations involving a trusted business partner relationship (e.g., contractor or temporary employee).

Pie chart of Entertainment Victim Organization Relationship to Insider. In 11 organizations, or 30%, the insider was a trusted business partner. In 26 organizations, or 70%, the insider was a permanent employee.

Sector Overview

Insider incidents in the Entertainment sector contain all three of the case types (fraud, IT sabotage, and theft of intellectual property [IP]) we used to analyze data in our Industry Sector blogs. The majority of the incidents affecting Entertainment organizations are fraud cases, occurring 61.5% across all incidents.

Bar chart of Entertainment Insider Incidents by Case Type. Fraud: 16. IP Theft: 5. IT Sabotage: 4. Fraud and Theft of IP: 1.

Sector Characteristics

Given how few reported incidents involved IT sabotage or theft of IP, the following table focuses on the 5W1H (Who? What? When? Where? Why? How?) of fraud incidents. These calculations exclude instances where the data was unknown.

Insider Fraud Incidents in the Entertainment Sector. Who? Over half (55.5%) of insiders were with the victim organization for five years or more. Over two-thirds (69.2%) of insiders had an authorized account and data. Insiders ranged from ages 21 to over 51 years old with insiders in their twenties accounting for 30.7%, thirties 23%, forties 30.7%, and fifties just 15.3%. An overwhelming majority (89.5%) of the insiders were full-time employees. A majority (90%) were current employees. Several insiders occupied management (33.3%), accounting (13.3%), or other non-technical positions (40%). Some insiders occupied multiple roles. What? Entertainment fraud incidents generally targeted theft of money (66.6%) (e.g., cash in the cash register) followed by theft of customer data, such as customer credit cards (22.2%). When? For the incidents where attack time was known (15 total), roughly one-third (33.3%) involved activity that occurred only during regular work hours, a small percentage (6%) involved activity only outside of regular hours, while the majority (60%) of incidents involved malicious activity that occurred both outside and during regular hours. Where? In fraud incidents where attack location was known (15 total), nearly two-thirds (60%) involved activity on site and remotely. However, over a third (40%) of these incidents involved only on-site access. How? Of the known cases, technical methods used in fraud incidents were fairly technical. More than two-thirds (66.6%) of insiders used a skimming device, and the remaining third (33.3%) of insiders used other technical methods that were not specified. Just over one-quarter (26.6%) received their fraudulent funds by wire transfer, with just over another quarter (26.6%) abusing their access to gain fraudulent funds. Why? Unsurprisingly, as seen with most fraud cases, the motive for all 15 fraudsters was financial gain (100%).

Analysis

The majority of insider incidents in the Entertainment sector occurred due to fraud motivated by financial gain. These insiders were usually with the company for over five years, had access to accounts and data, and were full-time employees. With most of the insiders in trusted positions, they had the means and methods to commit their crimes with relative ease.

It's interesting that despite some of the insiders being employed in non-technical positions, two-thirds of them used skimming devices, a tool generally considered to be relatively technically sophisticated. In addition to using skimmers, the insiders tended to move their funds through wire transfers or they misused their access to move funds around.

Final Thoughts

We see many movies and TV shows that depict insider threat dramas; the industry is not immune to the consequences. We identified incidents of fraud, IP theft, and sabotage across the industry, including with content publishers.

Stay tuned for the next post, in which we feature Cross-Sector Analysis, or subscribe to a feed of the Insider Threat blog to be alerted when any new post is available. For more information about the CERT National Insider Threat Center, or to provide feedback, please contact insider-threat-feedback@cert.org.

Entries in the "Insider Threats Across Industry Sectors" series:

About the Author