One of Hollywood’s top contract management firms was sent scrambling this week after informed of a breach involving a wealth of confidential and proprietary data. Contained in the leak was invaluable information about the earnings of some of the world’s biggest musical talent during the era of Now That’s What I Call Music! 45 through 74.
Discovered on an Amazon server without a password, a backup of corporate documents included various intellectual-property agreements from the likes of Selena, Duran Duran, Spice Girls, and Coldplay. The majority of the deals went down in the early 2000s.
The leak, secured by the Kromtech Security Research Team, exposed roughly 2GB of email correspondence—much of it marked “privileged and confidential”—with clients such as EMI, Disney, HBO, and Netflix. Within that data is some truly interesting pop culture trivia. For instance, Fox paid $18,000 so the reality TV trailblazer COPS could use Blondie’s “One Way or Another.”
Documents show Coldplay made a killing selling their music to dozens of TV shows—Buffy the Vampire Slayer, E.R., Friends, Queer Eye for the Straight Guy, and The O.C.—and movie trailers for Gigli ($50,000), Spider-Man ($125,000), and Peter Pan ($250,000). Heineken paid half a million to use “The Scientist” in a 2004 commercial. Gatorade planned to use “Yellow” in a 2001 ad, but seems to have dropped the spot.
Of course, Coldplay tracks were also used in several notable films during this period. For instance, Mean Girls, Wicker Park, Mr. Deeds, and Shallow Hall. And Touchstone Pictures paid $50,000 to use Coldplay’s “High Speed” in the Jake Gyllenhaal coming-of-age adventure-comedy Bubble Boy.
The firm exposed was identified as Rightsline, a California-based company that offers software solutions to top entertainment-industry companies to track the lifecycle of licensing and distribution deals around the world. On their site, Rightsline claims to use “the most secure data protection mechanisms available in the market to ensure that your data always remains your data.”
On Monday, Kromtech managed to reach Rightsline’s vice president of product development on LinkedIn. “Within a couple of hours bucket was secured, but there was no feedback or reply,” Kromtech researcher Bob Diachenko told Gizmodo. The leaked data contains “some of the biggest names in music and some of the most beloved songs ever written.”
For instance, Diachenko says, “the Spice Girls song ‘Wannabe’ was used in the movie Sleepover and Virgin [Records] was paid $60,000.”
To reiterate: The documents were discovered on a publicly-accessible Amazon server with no password, meaning they could be viewed or downloaded by anyone.
“The danger of any data breach or leak is often the human factor,” Diachenko continues. “In this case, a company does everything right and takes the necessary precautions only to have a senior executive leave a backup drive exposed.”
Last month, Kromtech unearthed a database containing 560 million login credentials—first reported by Gizmodo—which were later added to security researcher Troy Hunt’s “Have I Been Pwned?” website. (Roughly 243.6 million email address contained in the breach were unique.)
Incidents of data theft and ransomware are on the rise, so it’s important to remember the common thread: human error.
Whether it’s medical records describing the horrors of opium addiction or a confidential spreadsheet disclosing the stupid amount Coldplay was paid for the song “Yellow” in a 20-second TV commercial, if the slackers in charge of managing other people’s data would take a few moments to secure it with a password—or, gods forbid, encrypt it—the world would be a safer place.