Media & Entertainment · Cybersecurity Training

Your Help Desk Is Your Perimeter

Media & Entertainment companies lose an average of $4.2M per breach. The entry point wasn't a zero-day — it was a phone call.

Book a Help Desk Security Assessment → Download the M&E Breach Intelligence Brief →

Defining breaches in the media & entertainment sector

MGM Resorts
September 2023 · $100M+ direct losses
Vishing → help desk → ALPHV/Scattered Spider. 10-minute phone call to domain admin. 10-day operational outage. SEC 8-K filed September 13, 2023.
Caesars Entertainment
September 2023 · ~$15M ransom paid
Third-party IT vendor social engineering → Okta credential compromise. 65M loyalty members' PII exfiltrated (names, driver's license numbers, SSNs).
Sony Pictures
November 2014 · 100TB+ IP exfiltrated
Spear-phishing → Lazarus Group (DPRK) → Destover malware. Unreleased films leaked, executive emails published, "The Interview" pulled from theatrical release.
Activision
December 2022 · 19,444 employees' records leaked
SMS phishing → HR employee → Slack account compromise. Call of Duty Modern Warfare II roadmap exposed. Delayed CA notification — law violation.
The M&E Threat Profile

High-value targets. Distributed attack surface.

Media & entertainment companies face a uniquely dangerous combination: crown-jewel intellectual property, a distributed workforce across production/post-production/vendor sites, heavy payment processing, extensive third-party vendor dependencies, and a media profile that makes breaches catastrophic for brand reputation. Nation-state actors (particularly DPRK's Lazarus Group) actively target entertainment IP — unreleased films, scripts, and production assets have real black-market value.

The common thread across every major M&E breach is human exploitation. Vishing calls to help desks. SMS phishing to HR. Spear-phishing emails to production coordinators. Vendor access social engineering. No zero-day required — just a phone call and a team that hasn't been trained to recognize the pattern.

The Common Thread

Every M&E breach traces back to human exploitation — vishing, smishing, spear-phishing, and vendor compromise. The controls that stop them are not technical: they're behavioral, trained, and practiced.

🎧 Help Desk Vishing

High personnel turnover, distributed workforce, and executives under deadline pressure make IT help desks the #1 attack surface. A single phone call can yield domain admin.

🎬 Production Pipeline Access

VFX, post-production, and localization vendors have remote access to unreleased content. TPN Gold compliance gaps and weak credential hygiene create exfiltration risk.

🔑 Vendor Access Compromise

Third-party IT vendors, PMS integrators, and loyalty program providers all have privileged access to M&E networks. Vendor-compromised = company-compromised.

Breach Deep Dives

What happened. How it started. What it cost.

September 2023 · Las Vegas

MGM Resorts — 10 Minutes to Domain Admin

ALPHV (BlackCat) called MGM's IT help desk, impersonated an employee locked out before a flight, and convinced the technician to reset credentials over the phone. Within 10 minutes, the attacker had domain admin access. The attack progressed through casino floor systems, hotel PMS, slot machines, and digital room keys. MGM refused to pay the ransom. Estimated total cost: $100M+ in direct losses, operational disruption, and regulatory response. The SEC 8-K filed September 13, 2023 confirmed a material cybersecurity incident affecting the company's operational and financial position.

10 min Time from phone call to domain admin Source: MGM Resorts SEC 8-K, September 13, 2023; ALPHV/BlackCat claims
September 2023 · Las Vegas

Caesars Entertainment — Vendor Access, 65M Records

ALPHV social-engineered a Caesars third-party IT vendor support technician over the phone, convincing them to reset credentials on an Okta admin account. The attacker used the Okta access to exfiltrate loyalty program data for 65 million members: names, driver's license numbers, and in some cases Social Security numbers. Caesars paid approximately $15 million to prevent data release. Same threat cluster, same week, different entry point — but the same human failure at the core.

65M Loyalty members' PII exfiltrated Source: Caesars SEC 8-K, September 7, 2023; Bloomberg, September 13, 2023
November 2014 · Los Angeles

Sony Pictures — DPRK's Lazarus Group, 100TB+ IP

A spear-phishing email to Sony Pictures employees installed Destover malware — a wiper capable of rendering systems inoperable. The attack was attributed to North Korea's Lazarus Group (FBI, November 2014; DOJ indictment of Park Jin-hyok, September 2018), apparently in retaliation for "The Interview" film. Over 100 terabytes of data was exfiltrated: unreleased films ("Fury," "Annie"), executive emails, salary information, and corporate documents. The FBI estimated the attackers had access for up to a year before discovery — months of dwell time. "The Interview" was pulled from theatrical release, the first time a major studio altered a film release due to cyber threats. Estimated total loss: $100M+ in remediation, lost revenue, and reputational damage.

100TB+ IP exfiltrated — months of dwell time Source: FBI Attribution, November 2014; Novetta Operation Blockbuster; DOJ Indictment 2018
December 2022 · Santa Monica

Activision — SMS Phishing to Slack Cascade

An employee at Activision's Call of Duty franchise was targeted with an SMS phishing message directing them to a fake login page. The compromised account gave attackers access to the company's Slack, where they posted an inappropriate message saying "I touch children" — visible to the entire company. Despite this obvious anomalous behavior, no employee reported it to InfoSec. The attackers also accessed internal systems and later leaked 19,444 employee records (names, emails, phone numbers, physical addresses, salary information, and work locations) via a Tor-based leak site. Activision delayed notification to affected California employees, potentially violating California's CCPA/CPRA breach notification law.

19,444 Employees' records leaked — nobody reported the Slack anomaly Source: vx-underground (February 20, 2023); TechCrunch (February 21, 2023); Insider Gaming
Compliance Hooks

The regulatory landscape M&E companies can't ignore

PCI DSS 4.0, state breach notification, SOX, and MPA TPN compliance aren't checkbox exercises — they're the exact controls that would have prevented MGM and Caesars.

Regulation / Standard Key Requirement Enforcement How It Prevents These Breaches
PCI DSS 4.0
PCI Security Standards Council — mandatory March 31, 2025		 Req 8.3: MFA on all access to cardholder data. Req 11.6.1: Payment page script integrity monitoring. Req 12.10: Formal incident response plan with tabletop testing. Card brand fines ($5K–$100K/month), forensic investigation costs, potential suspension of payment processing capability — existential for M&E hospitality/casino ops. Req 8.3 directly stops the MGM help desk credential capture. Req 11.6.1 prevents JavaScript skimming on entertainment venue payment pages. Req 12.10 means Caesars has a documented notification runbook before the breach.
CA Breach Notification
California Civil Code §1798.29 — 3 business days		 Any person or business that owns or maintains computerized data containing personal information must notify California residents of a breach "in the most expedient time possible" and no later than 3 business days after discovery. AG enforcement, civil penalties up to $3,000 per violation (per consumer per incident), class action exposure. Activision delayed notification to California employees — potential §1798.29 violation. Sony's months of dwell time before discovery maximized notification scope and cost.
NY Breach Notification
NY General Business Law §899-aa — 72 hours		 Any business operating in New York that experiences a data breach of private information must notify the NY AG within 72 hours of discovery. AG enforcement, potential business registration suspension for repeat offenders. 72-hour clock starts at discovery — MGM waited days to file SEC 8-K; companies without pre-built notification templates will miss the deadline during the chaos of active incident response.
SOX Material Weakness Disclosure
SEC Regulation S-K Item 308 / SOX §302 & §404		 Public companies must certify financial controls and disclose material cybersecurity incidents that materially affect (or are reasonably likely to materially affect) financial reporting or internal controls. SEC enforcement, shareholder litigation, potential delisting for material misstatements. Both MGM and Caesars filed SEC 8-K within days of their breaches. Public studios (Disney, Warner Bros Discovery, Sony Corp) must certify cybersecurity incidents affecting revenue recording systems — unauthorized streaming revenue manipulation or content theft can trigger disclosure obligations.
MPA TPN v5.3.1
Movie Pictures Association — Shield Tiers: Blue → Silver → Gold → Gold Star		 TPN assessments cover 263+ controls across Organizational, Operational, Physical, and Technical domains. TPN Gold is the standard required by all major studios for VFX, post-production, and localization vendors as a contractual condition. Contractual exclusion from studio work. Studio audit disqualification. Loss of major production contracts. Vendors with production network access who haven't completed TPN Gold assessments are the weakest link in M&E supply chain security. Sony Pictures' breach demonstrated the damage that production network access can cause when compromised by spear-phishing.
Training Drills

Three scenarios. Three failure modes. Three fixes.

Drill 1
📞

Help Desk Vishing Tabletop (MGM Replay)

Executive impersonation call to the IT help desk: "I'm locked out before a flight to Cannes, need access now — I have a meeting at 9am." The technician is under pressure, the caller knows enough internal terminology, and the deadline is immediate.

2 hours IT Help Desk + IT Managers + CISO
  • Callback verification is not optional for tier-1 resets
  • Manager attestation threshold for executive account resets
  • Public records cannot be used as identity proofing
  • Incident logging and SecOps notification thresholds
  • PCI-DSS 4.0 Req 8.3 MFA enforcement on admin accounts
Drill 2
🎥

Production Data Exfiltration Simulation (Sony Replay)

Spear-phishing email to a production coordinator: lookalike domain, link to a fake review platform for dailies, urgent message to approve rushes before the director's call. The goal is to capture credentials and probe the production network's segmentation.

3 hours VFX / Post-Production + Studio Security + Production Managers
  • Dwell time is the enemy — production workflows have unique access patterns that malware uses to move laterally
  • TPN assessment gaps: where is your vendor's security posture?
  • Content watermarking enables forensic reconstruction after exfiltration
  • MFA on all production systems, not just corporate
  • Network segmentation (production vs. corporate) — stop the blast radius
Drill 3
🔑

Vendor MFA Reset Workflow Audit (Caesars Replay)

A caller impersonating a company employee rings the MSP support line: "Our lead tech is on vacation and I need the Okta admin credentials reset for a production emergency." The MSP tech doesn't have the internal escalation procedure documented — or knows it but follows it under social engineering pressure.

1.5 hours IT Managers + Vendor Relationship Owners + CISO + Legal/Compliance
  • Vendor access = your perimeter — Caesars learned this the hard way
  • Credential rotation policy is non-negotiable for vendor admin accounts
  • State breach notification applies to vendor-vector breaches (yes, you notify)
  • Periodic MSP security reviews — what's in their access log?
  • Vendor-compromise notification runbook: what does your team do when a vendor is breached?
$100M+ MGM direct losses
65M Caesars loyalty members' PII exposed
100TB+ Sony IP exfiltrated (Lazarus Group)
19,444 Activision employees' records leaked
Pricing

Three tiers. One mission: stop the phone call.

All sessions include breach scenario walkthroughs, compliance documentation, and post-session summary for auditor review.

Personal
$150

Per person · 90-minute live session · Individual focus

  • Help desk vishing resistance training
  • Personal threat landscape briefing
  • Credential hygiene fundamentals
  • Post-session summary for compliance records
Book Personal →
Executive
$390

Per person · 3-hour deep-dive · Team format

  • Full vishing tabletop with your help desk team
  • Vendor access governance framework
  • TPN compliance gap assessment walkthrough
  • Incident response runbook drafting session
  • PCI-DSS 4.0 Req 8.3 / 12.10 controls review
Book Executive →
Business
$900

Flat rate · Unlimited users · Organization-wide

  • All three training drills with your full team
  • Production data exfiltration tabletop for post/VFX
  • Vendor MFA reset audit with legal/compliance
  • Full M&E security program assessment
  • Compliance documentation for audit trail
Book Business →
FAQ

Common questions from M&E security leaders

Why is the help desk the biggest risk in media & entertainment?
M&E companies have high personnel turnover, distributed workforces across production/post-production/vendor sites, and executives and talent who are high-profile targets. A help desk that hasn't been trained to handle social engineering calls is a direct path to domain admin access. MGM's breach began with a phone call to the IT help desk — the attacker impersonated an employee, got a password reset, and had domain admin within 10 minutes. Caesars' breach started the same way: a third-party IT vendor technician was social-engineered by a caller claiming to be an authorized employee. For production-heavy companies, the help desk is also the interface with freelance crew, temp staff, and vendor personnel who need access to production systems on tight deadlines. The time pressure makes it easy to skip verification steps. PCI-DSS 4.0 Requirement 8.3 (MFA on all access to cardholder data) and Req. 12.10 (incident response planning) are exactly the controls that would have stopped both MGM and Caesars.
What is TPN Gold and does my VFX/post-production company need it?
TPN (Trusted Partner Network) is an industry standard managed by the Movie Pictures Association (MPA) that assesses the security readiness of vendors in the film and television supply chain. TPN assessments cover 263+ controls across Organizational, Operational, Physical, and Technical security domains. As of September 2025, the shield tiers are: Blue (entry level), Silver (standard baseline), Gold (major studio requirement), and Gold Star (highest trust tier for crown-jewel content). Major studios — Disney, Warner Bros. Discovery, Universal, Sony Pictures, Paramount — require TPN Gold as a contractual condition for VFX, post-production, localization, and digital supply chain work. If you're a vendor working on any major studio production, TPN Gold is effectively mandatory. TPN assesses your security posture, but remediation is your responsibility — and many vendors discover critical gaps only when a studio audit arrives. SecurEveryone's Production Data Exfiltration drill specifically prepares VFX and post-production staff for TPN audit scenarios.
How does PCI DSS 4.0 affect our casino or hospitality operation?
All 51 future-dated requirements in PCI-DSS v4.0 became mandatory on March 31, 2025 — there is no grace period. For M&E companies operating casino, hospitality, or entertainment venue properties, the scope is broad: POS terminals, property management systems (PMS), slot machine payment integrations, loyalty program databases, and any network segment that touches cardholder data all fall under full PCI-DSS scope. Key requirements: Requirement 8.3 mandates MFA for all access to cardholder data — exactly the control that MGM lacked when the attacker obtained a help desk credential. Requirement 11.6.1 requires integrity monitoring of payment page scripts, directly addressing JavaScript supply-chain attacks. Requirement 12.10 requires a formal incident response plan with tabletop testing — something Caesars executed (paid the ransom, filed SEC 8-K, notified 65M loyalty members), but most smaller M&E companies have no documented IR plan at all.
We had a breach through a vendor — are we still responsible for notification?
Yes. When a vendor's access to your environment results in a data breach, the notification obligation flows to you — not your vendor. California Civil Code §1798.29 and New York General Business Law §899-aa both require notification by the 'person or business' that owns the breached data, regardless of whether the breach originated through a third-party. Caesars' September 2023 breach involved a third-party IT vendor being social-engineered — yet Caesars bore the notification obligation to 65M loyalty members. For M&E companies, vendor notification obligations are especially acute because production companies typically work with dozens of vendors who have remote access to production networks, asset management systems, and content review platforms. The Caesars playbook — vendor compromise → credential exfiltration → notification → regulatory scrutiny — is the same pattern M&E companies face if they don't audit their vendor access controls and incident notification runbooks.
What's the difference between MGM's "no ransom" and Caesars' "paid ransom" response?
MGM refused to pay ALPHV/BlackCat's ransom demand and absorbed the operational costs of a 10-day system outage that crippled hotel check-in, room keys, POS systems, and slot machines across their Las Vegas properties. Estimated total cost: $100M+ in direct losses, revenue impact, remediation, and regulatory response — before any credit monitoring or litigation costs. Caesars paid approximately $15M to prevent the release of loyalty member data (65M records: names, driver's license numbers, SSNs). Both companies were hit by the same threat cluster within the same week. The difference was operational posture: MGM's systems were down and affecting guests; Caesars was facing a data release threat. Both responses carry enormous costs. The lesson isn't 'pay or don't pay' — it's that both outcomes cost tens or hundreds of millions of dollars, and both were preventable with the same set of controls: MFA on admin accounts, vendor access governance, and an incident response plan that had been tabletop-tested before the crisis.

Stop the phone call. Start with a free security assessment.

No commitment. 90 minutes. You'll know exactly where your help desk, vendor access, and production pipeline stand against the real threat landscape.

Start with a Free Security Assessment → Run a Help Desk Vishing Tabletop → Get a Full M&E Security Program Assessment →
SecurEveryone · PCI DSS 4.0 / TPN Gold / SOX / CA/NY Breach Notification · $150–$900 · Live expert coaching