CBS, Paramount Owner National Amusements Says It Was Hacked (techcrunch.com) 62
National Amusements, the cinema chain and corporate parent giant of media giants Paramount and CBS, has confirmed it experienced a data breach in which hackers stole the personal information of tens of thousands of people. TechCrunch: The private media conglomerate said in a legally required filing with Maine's attorney general that hackers stole personal information on 82,128 people during a December 2022 data breach. Details of the December 2022 breach only came to light a year later, after the company began notifying those affected last week.
According to Maine's notice, the company discovered the breach months later in August 2023, but did not say what specific personal information was taken. The data breach notice filed with Maine said that hackers also stole financial information, such as banking account numbers or credit card numbers in combination with associated security codes, passwords or secrets.
According to Maine's notice, the company discovered the breach months later in August 2023, but did not say what specific personal information was taken. The data breach notice filed with Maine said that hackers also stole financial information, such as banking account numbers or credit card numbers in combination with associated security codes, passwords or secrets.
how many times do we have to say this (Score:5, Insightful)
How many times do we have to say this ? If a breach occurs and PI is stolen, the parent company needs to pay big until it hurts. Seems the only way this will ever be fixed is everyone in the US Congress, their relatives and the President have their info stolen and posted on every site with their bank accounts breached.
Re:how many times do we have to say this (Score:5, Interesting)
How many times do we have to say this ?
You can say it as many times as you want. It won't be implemented because it is an idiotic solution to the wrong problem.
Most breaches are never reported. Harsh punishment for those doing the right thing just means more will do the wrong thing.
The actual solution is to fix the broken American financial system so that companies never receive private data in the first place.
When I buy something in America, the merchant receives the following:
1. My name.
2. My CC number.
3. The expiration date.
4. The "secret" code.
5. Maybe my zipcode.
When I buy something in China, the merchant receives the following:
1. Confirmation that funds have been transferred to their bank account.
2. A one-time transaction ID.
That's it.
They can't lose what they don't have.
Re: (Score:3)
Yeah, I never went to a National Amusement park owned by Paramount, but when I went to Universal Studios, they required us to provide a thumbprint along with my ID.
Re: (Score:2)
Yeah, I never went to a National Amusement park owned by Paramount, but when I went to Universal Studios, they required us to provide a thumbprint along with my ID.
Of course they do - how else are they going to identify your charred, mangled corpse when a ride malfunctions? Just wait until they start demanding dental records...
Re: (Score:2)
Half the web sites out there require you to give them your email address, name, and other info just to read their content. Never mind credit card numbers!
Re: (Score:3)
Half the web sites out there require you to give them your email address, name, and other info just to read their content.
Perhaps, but that's not what happened in this case. From TFS: hackers also stole financial information, such as banking account numbers or credit card numbers in combination with associated security codes, passwords or secrets.
Re: (Score:3)
Half the web sites out there require you to give them your email address, name, and other info just to read their content.
Perhaps, but that's not what happened in this case. From TFS: hackers also stole financial information, such as banking account numbers or credit card numbers in combination with associated security codes, passwords or secrets.
Are you using the internet? Have you been to any medical offices or hospital? It's just about universal at this point.
All your info are belong to us. I'll go so far as to say that the universal pwnership of virtually everyones banking information has inadvertently caused a weird form of security through obscurity. With billions of accounts to go through, the likelihood of the bad guys using yours to tap into are pretty low.
Re:how many times do we have to say this (Score:4, Interesting)
How many times do we have to say this ?
You can say it as many times as you want. It won't be implemented because it is an idiotic solution to the wrong problem.
Most breaches are never reported. Harsh punishment for those doing the right thing just means more will do the wrong thing.
The actual solution is to fix the broken American financial system so that companies never receive private data in the first place.
When I buy something in America, the merchant receives the following:
1. My name.
2. My CC number.
3. The expiration date.
4. The "secret" code.
5. Maybe my zipcode.
When I buy something in China, the merchant receives the following:
1. Confirmation that funds have been transferred to their bank account.
2. A one-time transaction ID.
That's it.
They can't lose what they don't have.
That's why, in America, I only use an Intermediary like PayPal or Apple Pay with any Random Site from which I make an Online Purchase. If $RANDOM_VENDOR wants my CC info, I will shop somewhere else if at all possible, even if I end up paying a little more.
Re: (Score:2)
The actual solution is to fix the broken American financial system so that companies never receive private data in the first place.
We Americans sooo stupid, we only country in the world where people's information is exposed, The rest of the world is 100 percent secure, never a breach, and never will be one.
Seems like you should tell us how the rest of the world has insured perfect internet safety. Your method isn't the paradigm.
Re: (Score:2)
Most breaches are never reported. Harsh punishment for those doing the right thing just means more will do the wrong thing.
So make it illegal to not report the breach, and make it double the punishment when it comes out, and oh yeah, not only protect but reward whistleblowers.
Re: (Score:3)
If you punish the victims, you will not solve the crime problem.
Most Americans already HAVE had their info stolen and posted, and their bank accounts breached, more than once. Most of us realize that it's the criminals we should target, not the good guys.
Re: (Score:3)
What actually needs to happen is the people collecting this information to be held liable when it's stolen. When the cost of taking responsibility for holding it becomes prohibitive, companies will stop collecting it. As you pointed out yourself, most of the information collected is unnecessary for completing the transaction. Information that isn't collected isn't available to be stolen.
Re: (Score:2)
Almost.
Companies that collect personal information should be held responsible to take reasonable efforts to protect it. This is like a landlord being required to keep door locks in good working order. Doing so will not prevent 100% of thefts, but demonstrates good faith.
Personal information, like it or not, is a commodity in this internet age. People don't *really* want privacy, they want free and cheap stuff, and free isn't really free. Companies pay for these free and cheap things by collecting data on yo
Re: (Score:2)
The first problem with your analogy is that a residence requires a door to function, the companies collecting the information do not need it to function, they simply wish to monetize it. And I'm fine with that, with the provision that if they're going to collect it, they had better secure it, preferably under pain of legal penalties.
This isn't exactly a novel or radical proposal. Pre-internet, the assumption was that the individual owned his own information. If a media company caught you on camera, they cou
Re: (Score:2)
I'm not suggesting that companies should get a free lunch. They should make reasonable efforts to secure their data. My beef is that every time there is a breach, the automatic reaction is that the company must have been negligent, and must be punished. That is not the case, 90% of the time. Most large corporations take security very seriously, but hackers will get around even the best security precautions.
Re: (Score:2)
I'm going to quibble with the "reasonable" standard here. If we're talking about data that is necessary for the transaction to be performed, then I'm fine with "reasonable", as there's no way to avoid collecting the data.
But optional data that the company is collecting for it's own convenience or profit? Nope. If you're collecting it, you're responsible for it, and if you can't guarantee it's security, then you have no business collecting it. If you're going to go above and beyond, then you have voluntaril
Re: (Score:2)
No company can *guarantee* the security of the data it holds. No law will ever hold them to this standard. If that is YOUR standard, you'd better stop using the web. By using web sites that collect your data (which is all of them), YOU voluntarily assume some of the risk that the data could be lost in a breach.
Re: (Score:2)
No company can *guarantee* the security of the data it holds.
And I can't think of a better reason as to why they should be discouraged from collecting unnecessary date in the first place. If they're going to subject their customers to unnecessary risks, I see no reason they shouldn't share in them as well.
Re: (Score:2)
Put your money where your mouth is, and stop using Slashdot and any other site that collects your data.
Re: (Score:2)
Most large corporations take security very seriously, but hackers will get around even the best security precautions.
This is why we used to follow best practices of: "Only collect what you need. Don't keep it longer than you need it."
Then someone discovered we could analyze and data-mine random information for valuable insights... and now standard practice is: "Gather everything you can. Keep it forever."
Re: (Score:2)
This isn't exactly a novel or radical proposal. Pre-internet, the assumption was that the individual owned his own information. If a media company caught you on camera, they couldn't broadcast or publish it without you signing a release. When was the last time you saw that happen?
False. (In the USA at least)
Your information is information you possess, not information about you. Information has always belonged to the one that collects it. I own the information that I have about you. Subject to slander/libel laws I can share it with others. I can write a biography if I choose. I hold copyright on photographs I take. I can publish them as I chose (subject to advertising-use limitations).
That said, I agree with your idea that companies should be responsible for protecting the data
Re: (Score:2)
Re: (Score:2)
I hope you are right, but I think we both know what will really happen:
1. Breach Happens.
2. If against large company, bribes, oh I mean campaign contributions, go up.
3. Large Companies get a "buy".
4. Small family businesses, get to be sued and the owners become homeless.
To me, most (or all) of these cyber security bills are jsut fund raisers for politicians and their lawyer friends.
And? Consequences for the cretins responsible? (Score:3)
No? So nothing will change and this crap will continue.
Those responsible will be "management", not any security engineers that were underpaid, underqualified, overworked and ignored.
Re: (Score:2)
"Consequences?" Do you jest? This is America, consequences are for other people.
Re: (Score:3)
Uh, this story is about a Canadian company.
Re: (Score:2)
National Amusements is an American company. https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Oh, they used to be illegal in the USA because Paramount can't be linked to movie screens.... now I see they spun off.
Re: (Score:2)
Wrong. Those responsible are the hackers that broken in and stole what they wanted. There is no such thing as "enough" security. By your logic, we should prosecute the owners of San Francisco Nordstrom after the flash mob walked in and stole all the merchandise, endangering the lives of shoppers and employees in the process. They should have had better locks on their doors, don't you know!
Re: (Score:2)
Ever heard of due diligence or gross negligence? Apparently not. Of course, with the threat landscape being known, those that do not adequately prepare to defend against attacks share responsibility for the damage that happens.
As you seem to be completely disconnected from reality, here is an example form another field: https://www.justia.com/real-es... [justia.com]
Re: (Score:2)
No one has proven or even accused National Amusements of negligence. You are just ASSUMING they were negligent because they were hacked.
Your document covering landlords is a good analogy. If a landlord generally maintains their property and keeps locks repaired and in working order, they are complying with what is expected of a landlord. If a thief discovers that one of the door locks isn't quite latching all the way, and uses that vulnerability to break in and steal stuff, two things are true: 1) the landl
Re: (Score:2)
No one has proven or even accused National Amusements of negligence. You are just ASSUMING they were negligent because they were hacked.
Nope. I _know_ they were negligent because they were hacked. They are not a high enough value target for the really good hackers, so some mediocre ones got in. That only happens if they were negligent. Well, it could happen if some of their staff did intentional sabotage.
Re: (Score:2)
Nope. I _know_ they were negligent because they were hacked.
Ah, I see. So EVERY security breach results only from negligence. Any security precautions short of perfection, isn't good enough for you. Apparently you live in a different world than I do, because there are *always* security imperfections, whether it's digital or physical security. And apparently you've never actually had to implement a cybersecurity regimen. It's easy to criticize the football players' mistakes when you're sitting in the stands.
Re: (Score:2)
You seem to not be very smart, because that is not what I said.
Re: (Score:2)
I quoted your exact words, I think it is exactly what you said.
If you _know_ they were negligent because they were hacked, then apparently you are saying that every breach results from negligence.
What did I miss, exactly? Please help a dummy like me understand.
WTF (Score:3)
How does a company named "National Amusements" come to own Paramount and CBS?
Re: (Score:2)
It was the original business of theater chains started by the Redstone family and through a sordid tale of mergers, acquisitions and spinoffs it's the media entity it is today. It's kinda always owned some portion of those entities.
Re: (Score:2)
It's Canada speaking there... they don't have "Hollywood" in Canada, so National Amusements is somehow the only way they can see CBS/Paramount projects.
Stole? (Score:2)
Actually, they (mis)configured their servers to give all that data to hackers upon request.
If the messaging were changed to the more accurate "National Amusements gave hackers the personal information of tens of thousands of people," the public blowback might be enough to convince large companies to stop outsourcing their IT to the lowest bidder.
Re:Stole? (Score:4, Informative)
If a low-paid store employee accidentally leaves the back door open, and thieves come in and steal all the merchandize, it's still stealing. The store didn't "give away" their merchandise because they "misconfigured" the door lock. On the internet, there is no such thing as "adequate" security. Without enforcement against the hackers, nothing will change. No amount of fines against the merchants will change this.
Re:Roads Should be Private (Score:2)
That's not how servers work. You have to request information, and the server either gives it to you ("200 OK") or refuses and says you aren't authorized ("401 Unauthorized" or "403 Forbidden"). In this case, the server voluntarily gave the hackers the information they requested. Is it stealing when somebody who is authorized to give you something gives it to you on acc
Re: (Score:3)
The law relies heavily on *intent.* Was it the intent of the designers, to give you the information? Was it the intent of the store owner to give away free stuff? Would a *reasonable* customer / client understand that the server / clerk didn't intend to give away free stuff?
There certainly could be some gray areas here, but under the law, if the server wasn't intended to give away the information, and the client knew or should have known that it wasn't authorized to receive the information, then yes it is s
Re: (Score:2)
Negligence does not require intent.
Re: (Score:2)
Negligence does have to be proven, it is not assumed, just because there was a breach.
Re: (Score:2)
Are you trolling or do you have a real-world example of a data breach that was unpreventable?
Re: (Score:2)
I would suggest that ALL data breaches you hear about in the news, were unpreventable. Here's why.
I run a small genetic genealogy web site, with about 400 users. I regularly see attempted data breaches, dozens per year. I see things like attempts to access wp_admin, even though my site is not a WordPress site. So far, all of these dozens of attempts have failed. One day, one attempt may succeed. That's the one people will hear about.
If my tiny web site regularly faces attempted breaches, I have no doubt tha
Re: (Score:2)
Your inability to come up with a real-world example of an unpreventable data breach to support your claim that "Negligence does have to be proven, it is not assumed, just because there was a breach." proves that you are a troll.
Re: (Score:2)
I said, ALL of them. But here are some examples:
Stuxnet https://en.wikipedia.org/wiki/... [wikipedia.org]
Heartbleed https://en.wikipedia.org/wiki/... [wikipedia.org]
Solar Winds https://en.wikipedia.org/wiki/... [wikipedia.org]
All of these hacks involved previously unknown vulnerabilities, and were therefore unpreventable. In the case of Heartbleed, the hack involved open source code that contained the vulnerability for about two years before anyone found it, proving that using open source code is no defense against hacks.
Re: (Score:2)
Stuxnet: Having proper encryption and key management possibly could have prevented a disaster like this from happening. [townsendsecurity.com]
Heartbleed: Heartbleed is fundamentally a coding mistake and one that could have been prevented. [cmu.edu]
Solar Winds: In June 2018, Network Engineer D found a "security gap" related to SolarWinds' virtual private network, which allowed access from laptops or phones not managed by the company. When he flagged the problem to SolarWinds' security managers and proposed a solution, they pushed back. [bloomberg.com]
If
Re: (Score:2)
Now you are substituting people's opinions (these vulnerabilities "could have been" prevented) for the reality of life (people are imperfect, there will always be new vulnerabilities that slip by people with the very best of intentions).
If these vulnerabilities "could have been" prevented, why weren't they?
And what has changed, or could change, to prevent such events in the future? Oh yeah, you want harsh penalties, because the penalties for the above three hacks weren't harsh enough to provide proper motiv
I know you're not supposed to support hackers (Score:2)
But with how shady the media industry is I would kinda like to see a big dump like we got with Sony years back. A new batch of info on how the streaming economics and decisions really work.
Re: (Score:2)
Uh, you must be new here.
Illegally making a copy is enough to claim piracy, which is a form of stealing.
Re: (Score:2)
And this happens while there are talks of a merger (Score:2)
So, are Warner Discovery or NetFlix sure they want to buy this DumpsterFire?
And is Formula1 Sure they want to continue partnering with this dumpster fire?
Security breaches have consequences, and, sadly at least until furter legislation and meaningful fines are imposed, the reputational ones are the ones that actually have theeth
Candian perfection fail. (Score:1)
National Amusements theaters only exist in Canada. Maine's involvement is for people who cross the border there.
This is the first Canadian hacking we've seen in a while...
Re: (Score:3)
Is it not odd (Score:2)
When Paramount, Fox and MGM owned theaters, it was called a trust and they were forced to divest.
Now, companies like National Amusements own those theaters... And the company the supplies the concessions (look up National Amusements)... And the studios.
So, when you go to the theater and they tell you popcorn is $10 because the studio charges them so much for the movies that "this the only way to stay afloat"; Understand, the studio pays National Amusements a chunk of what they collect from the theater; The