In mid-December 2015, just four days after filming begun on the upcoming biopic on the life of Tupac Shakur, titled “All Eyez On Me,” the Los Angeles-based studio of Morgan Creek Productions took a security hit. “[The studio] was contacted by the Department of Homeland Security, who notified us that an individual had hacked into someone’s computer, taken the script, and was offering it for sale,” Greg Mielzarz, executive vice president of marketing and publicity at Morgan Creek Productions, tells REVOLT.
As it turned out, the finished script for the film was obtained by Alonzo Knowles, an alleged hacker, who was arrested after trying to sell a total of 15 scripts to an undercover agent for $80,000. Knowles, 23, is also responsible for stealing scripts for the Starz hit show “Power.” The Bahama native has since been charged with one count of criminal copyright infringement and one count of identity theft. He has pled not guilty to the charges.
While Morgan Creek has since taken extra precautions on security and preventing similar style infiltrations, online security expert Adam K. Levin, Chairman and founder of IDT911 and and author of “SWIPED: How to Protect Yourself In A World Full of Scammers,” believes preventing these kind of online intrusions are imperative for every company. Here Levin talks to REVOLT about the Morgan Creek Productions hack, the craziest security breach he’s seen, and the best way to share content without taking a security hit.
For the “All Eyez On Me” breach and the related items that were leaked as a result, what would you grade that hack in terms of how damaging it was?
The hack that resulted in the hijacking of the script for the Tupac biopic "All Eyez on Me" was part of a series of unauthorized intrusions into various sports and entertainment celebrity email accounts. Sensitive personal information, including Social Security numbers, was compromised. While not on the grand scale of Sony, Anthem or the US Office of Personnel Management, the theft of intellectual property and Social Security numbers makes it very serious. Such a hack can have serious economic repercussions or worse.
What’s the craziest hack you’ve ever seen and how was the victim able to recover?
The Digital Don case. It was the first case of hacking as a business model. First Dow Jones was hacked and over eight million names and email addresses were compromised. Then other financial news organizations were also hacked. Then millions of Etrade and Scott Trade accounts were breached. Then 83 million JPMorgan accounts were improperly accessed. The goal - to do pump and dump stock schemes and front run major stock announcements for stock manipulation purposes. Then off shore casinos were established to launder funds. Then accounts of competitive offshore casinos were hacked. They even compromised a company that monitored payment processors in order to cover up phony transactions charges designed to hide the flow of their ill-begotten gains.
Over 100 people were indicted worldwide with major arrests in the US. It was a scheme that netted its operators over $100 million. When the breaches were discovered, the vulnerabilities were closed and more stringent security protocols put in place. These cybercriminals built an empire, much like that of Cookie and Lucious Lyon, but instead of hit songs their currency was the sensitive personal and financial data of countless businesses and consumers.
Files get moved around a lot in entertainment, for music and scripts; what is the best way to share content with a collaborator without the fear that it can be hacked? Is there even a way to do it digitally or is analog the safest best?
In today's hack-riddled environment, entertainment organizations are moving way beyond traditional firewalls and digital watermarks as silver-bullet solutions to protecting sensitive personal information and intellectual property. Companies are investing significant dollars in encryption, layered security and continuous system monitoring that looks for unusual patterns. (Are people logging on from unknown devices?)
While it is optimal for collaborators to have access to shared accounts, somewhat like the online deal rooms used by M&A teams, it is imperative that such access is privileged (i.e., strictly limited to those who need-to-know) and can be revoked immediately if it is determined that information is either being exposed to an unauthorized individual or being removed from the secure environment.