Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

CBS, Paramount Owner National Amusements Says It Was Hacked (techcrunch.com) 62

National Amusements, the cinema chain and corporate parent giant of media giants Paramount and CBS, has confirmed it experienced a data breach in which hackers stole the personal information of tens of thousands of people. TechCrunch: The private media conglomerate said in a legally required filing with Maine's attorney general that hackers stole personal information on 82,128 people during a December 2022 data breach. Details of the December 2022 breach only came to light a year later, after the company began notifying those affected last week.

According to Maine's notice, the company discovered the breach months later in August 2023, but did not say what specific personal information was taken. The data breach notice filed with Maine said that hackers also stole financial information, such as banking account numbers or credit card numbers in combination with associated security codes, passwords or secrets.

This discussion has been archived. No new comments can be posted.

CBS, Paramount Owner National Amusements Says It Was Hacked

Comments Filter:
  • by jmccue ( 834797 ) on Tuesday December 26, 2023 @09:23PM (#64107985) Homepage

    How many times do we have to say this ? If a breach occurs and PI is stolen, the parent company needs to pay big until it hurts. Seems the only way this will ever be fixed is everyone in the US Congress, their relatives and the President have their info stolen and posted on every site with their bank accounts breached.

    • by ShanghaiBill ( 739463 ) on Tuesday December 26, 2023 @09:35PM (#64108007)

      How many times do we have to say this ?

      You can say it as many times as you want. It won't be implemented because it is an idiotic solution to the wrong problem.

      Most breaches are never reported. Harsh punishment for those doing the right thing just means more will do the wrong thing.

      The actual solution is to fix the broken American financial system so that companies never receive private data in the first place.

      When I buy something in America, the merchant receives the following:

      1. My name.
      2. My CC number.
      3. The expiration date.
      4. The "secret" code.
      5. Maybe my zipcode.

      When I buy something in China, the merchant receives the following:

      1. Confirmation that funds have been transferred to their bank account.
      2. A one-time transaction ID.

      That's it.

      They can't lose what they don't have.

      • Yeah, I never went to a National Amusement park owned by Paramount, but when I went to Universal Studios, they required us to provide a thumbprint along with my ID.

        • by Briareos ( 21163 )

          Yeah, I never went to a National Amusement park owned by Paramount, but when I went to Universal Studios, they required us to provide a thumbprint along with my ID.

          Of course they do - how else are they going to identify your charred, mangled corpse when a ride malfunctions? Just wait until they start demanding dental records...

      • Half the web sites out there require you to give them your email address, name, and other info just to read their content. Never mind credit card numbers!

        • Half the web sites out there require you to give them your email address, name, and other info just to read their content.

          Perhaps, but that's not what happened in this case. From TFS: hackers also stole financial information, such as banking account numbers or credit card numbers in combination with associated security codes, passwords or secrets.

          • Half the web sites out there require you to give them your email address, name, and other info just to read their content.

            Perhaps, but that's not what happened in this case. From TFS: hackers also stole financial information, such as banking account numbers or credit card numbers in combination with associated security codes, passwords or secrets.

            Are you using the internet? Have you been to any medical offices or hospital? It's just about universal at this point.

            All your info are belong to us. I'll go so far as to say that the universal pwnership of virtually everyones banking information has inadvertently caused a weird form of security through obscurity. With billions of accounts to go through, the likelihood of the bad guys using yours to tap into are pretty low.

      • by NoMoreACs ( 6161580 ) on Wednesday December 27, 2023 @07:25AM (#64108683)

        How many times do we have to say this ?

        You can say it as many times as you want. It won't be implemented because it is an idiotic solution to the wrong problem.

        Most breaches are never reported. Harsh punishment for those doing the right thing just means more will do the wrong thing.

        The actual solution is to fix the broken American financial system so that companies never receive private data in the first place.

        When I buy something in America, the merchant receives the following:

        1. My name.
        2. My CC number.
        3. The expiration date.
        4. The "secret" code.
        5. Maybe my zipcode.

        When I buy something in China, the merchant receives the following:

        1. Confirmation that funds have been transferred to their bank account.
        2. A one-time transaction ID.

        That's it.

        They can't lose what they don't have.

        That's why, in America, I only use an Intermediary like PayPal or Apple Pay with any Random Site from which I make an Online Purchase. If $RANDOM_VENDOR wants my CC info, I will shop somewhere else if at all possible, even if I end up paying a little more.

        • The actual solution is to fix the broken American financial system so that companies never receive private data in the first place.

          We Americans sooo stupid, we only country in the world where people's information is exposed, The rest of the world is 100 percent secure, never a breach, and never will be one.

          Seems like you should tell us how the rest of the world has insured perfect internet safety. Your method isn't the paradigm.

      • Most breaches are never reported. Harsh punishment for those doing the right thing just means more will do the wrong thing.

        So make it illegal to not report the breach, and make it double the punishment when it comes out, and oh yeah, not only protect but reward whistleblowers.

    • If you punish the victims, you will not solve the crime problem.

      Most Americans already HAVE had their info stolen and posted, and their bank accounts breached, more than once. Most of us realize that it's the criminals we should target, not the good guys.

      • What actually needs to happen is the people collecting this information to be held liable when it's stolen. When the cost of taking responsibility for holding it becomes prohibitive, companies will stop collecting it. As you pointed out yourself, most of the information collected is unnecessary for completing the transaction. Information that isn't collected isn't available to be stolen.

        • Almost.

          Companies that collect personal information should be held responsible to take reasonable efforts to protect it. This is like a landlord being required to keep door locks in good working order. Doing so will not prevent 100% of thefts, but demonstrates good faith.

          Personal information, like it or not, is a commodity in this internet age. People don't *really* want privacy, they want free and cheap stuff, and free isn't really free. Companies pay for these free and cheap things by collecting data on yo

          • The first problem with your analogy is that a residence requires a door to function, the companies collecting the information do not need it to function, they simply wish to monetize it. And I'm fine with that, with the provision that if they're going to collect it, they had better secure it, preferably under pain of legal penalties.

            This isn't exactly a novel or radical proposal. Pre-internet, the assumption was that the individual owned his own information. If a media company caught you on camera, they cou

            • I'm not suggesting that companies should get a free lunch. They should make reasonable efforts to secure their data. My beef is that every time there is a breach, the automatic reaction is that the company must have been negligent, and must be punished. That is not the case, 90% of the time. Most large corporations take security very seriously, but hackers will get around even the best security precautions.

              • I'm going to quibble with the "reasonable" standard here. If we're talking about data that is necessary for the transaction to be performed, then I'm fine with "reasonable", as there's no way to avoid collecting the data.

                But optional data that the company is collecting for it's own convenience or profit? Nope. If you're collecting it, you're responsible for it, and if you can't guarantee it's security, then you have no business collecting it. If you're going to go above and beyond, then you have voluntaril

                • No company can *guarantee* the security of the data it holds. No law will ever hold them to this standard. If that is YOUR standard, you'd better stop using the web. By using web sites that collect your data (which is all of them), YOU voluntarily assume some of the risk that the data could be lost in a breach.

                  • No company can *guarantee* the security of the data it holds.

                    And I can't think of a better reason as to why they should be discouraged from collecting unnecessary date in the first place. If they're going to subject their customers to unnecessary risks, I see no reason they shouldn't share in them as well.

              • Most large corporations take security very seriously, but hackers will get around even the best security precautions.

                This is why we used to follow best practices of: "Only collect what you need. Don't keep it longer than you need it."

                Then someone discovered we could analyze and data-mine random information for valuable insights... and now standard practice is: "Gather everything you can. Keep it forever."

            • This isn't exactly a novel or radical proposal. Pre-internet, the assumption was that the individual owned his own information. If a media company caught you on camera, they couldn't broadcast or publish it without you signing a release. When was the last time you saw that happen?

              False. (In the USA at least)

              Your information is information you possess, not information about you. Information has always belonged to the one that collects it. I own the information that I have about you. Subject to slander/libel laws I can share it with others. I can write a biography if I choose. I hold copyright on photographs I take. I can publish them as I chose (subject to advertising-use limitations).

              That said, I agree with your idea that companies should be responsible for protecting the data

    • by bn-7bc ( 909819 )
      well in the future the company being breached wiill have to report itr to the sec (at lest te publicly listed ones) see https://www.sec.gov/news/press... [sec.gov] so this might help a bit
      • by jmccue ( 834797 )

        I hope you are right, but I think we both know what will really happen:

        1. Breach Happens.

        2. If against large company, bribes, oh I mean campaign contributions, go up.

        3. Large Companies get a "buy".

        4. Small family businesses, get to be sued and the owners become homeless.

        To me, most (or all) of these cyber security bills are jsut fund raisers for politicians and their lawyer friends.

  • by gweihir ( 88907 ) on Tuesday December 26, 2023 @09:24PM (#64107987)

    No? So nothing will change and this crap will continue.

    Those responsible will be "management", not any security engineers that were underpaid, underqualified, overworked and ignored.

    • "Consequences?" Do you jest? This is America, consequences are for other people.

    • Wrong. Those responsible are the hackers that broken in and stole what they wanted. There is no such thing as "enough" security. By your logic, we should prosecute the owners of San Francisco Nordstrom after the flash mob walked in and stole all the merchandise, endangering the lives of shoppers and employees in the process. They should have had better locks on their doors, don't you know!

      • by gweihir ( 88907 )

        Ever heard of due diligence or gross negligence? Apparently not. Of course, with the threat landscape being known, those that do not adequately prepare to defend against attacks share responsibility for the damage that happens.

        As you seem to be completely disconnected from reality, here is an example form another field: https://www.justia.com/real-es... [justia.com]

        • No one has proven or even accused National Amusements of negligence. You are just ASSUMING they were negligent because they were hacked.

          Your document covering landlords is a good analogy. If a landlord generally maintains their property and keeps locks repaired and in working order, they are complying with what is expected of a landlord. If a thief discovers that one of the door locks isn't quite latching all the way, and uses that vulnerability to break in and steal stuff, two things are true: 1) the landl

          • by gweihir ( 88907 )

            No one has proven or even accused National Amusements of negligence. You are just ASSUMING they were negligent because they were hacked.

            Nope. I _know_ they were negligent because they were hacked. They are not a high enough value target for the really good hackers, so some mediocre ones got in. That only happens if they were negligent. Well, it could happen if some of their staff did intentional sabotage.

            • Nope. I _know_ they were negligent because they were hacked.

              Ah, I see. So EVERY security breach results only from negligence. Any security precautions short of perfection, isn't good enough for you. Apparently you live in a different world than I do, because there are *always* security imperfections, whether it's digital or physical security. And apparently you've never actually had to implement a cybersecurity regimen. It's easy to criticize the football players' mistakes when you're sitting in the stands.

              • by gweihir ( 88907 )

                You seem to not be very smart, because that is not what I said.

                • I quoted your exact words, I think it is exactly what you said.

                  If you _know_ they were negligent because they were hacked, then apparently you are saying that every breach results from negligence.

                  What did I miss, exactly? Please help a dummy like me understand.

  • by backslashdot ( 95548 ) on Tuesday December 26, 2023 @09:24PM (#64107989)

    How does a company named "National Amusements" come to own Paramount and CBS?

    • It was the original business of theater chains started by the Redstone family and through a sordid tale of mergers, acquisitions and spinoffs it's the media entity it is today. It's kinda always owned some portion of those entities.

    • It's Canada speaking there... they don't have "Hollywood" in Canada, so National Amusements is somehow the only way they can see CBS/Paramount projects.

  • Actually, they (mis)configured their servers to give all that data to hackers upon request.

    If the messaging were changed to the more accurate "National Amusements gave hackers the personal information of tens of thousands of people," the public blowback might be enough to convince large companies to stop outsourcing their IT to the lowest bidder.

    • Re:Stole? (Score:4, Informative)

      by Tony Isaac ( 1301187 ) on Tuesday December 26, 2023 @11:11PM (#64108195) Homepage

      If a low-paid store employee accidentally leaves the back door open, and thieves come in and steal all the merchandize, it's still stealing. The store didn't "give away" their merchandise because they "misconfigured" the door lock. On the internet, there is no such thing as "adequate" security. Without enforcement against the hackers, nothing will change. No amount of fines against the merchants will change this.

  • But with how shady the media industry is I would kinda like to see a big dump like we got with Sony years back. A new batch of info on how the streaming economics and decisions really work.

  • So, are Warner Discovery or NetFlix sure they want to buy this DumpsterFire?

    And is Formula1 Sure they want to continue partnering with this dumpster fire?

    Security breaches have consequences, and, sadly at least until furter legislation and meaningful fines are imposed, the reputational ones are the ones that actually have theeth

  • National Amusements theaters only exist in Canada. Maine's involvement is for people who cross the border there.

    This is the first Canadian hacking we've seen in a while...

    • They own 1500 theaters in the USA, they were founded in Maine and are still headquartered in Maine. Maine's involvement has absolutely nothing to do with proximity to the Canadian border.
  • When Paramount, Fox and MGM owned theaters, it was called a trust and they were forced to divest.
    Now, companies like National Amusements own those theaters... And the company the supplies the concessions (look up National Amusements)... And the studios.
    So, when you go to the theater and they tell you popcorn is $10 because the studio charges them so much for the movies that "this the only way to stay afloat"; Understand, the studio pays National Amusements a chunk of what they collect from the theater; The

Life is a whim of several billion cells to be you for a while.

Working...