This past Saturday, January 21st, the 2017 Sundance Film Festival was underway with its first weekend of screenings when it was interrupted by a cyberattack that disabled its online box office as well as internet access throughout Park City, Utah. The attack is reportedly being investigated by the FBI as a denial of service (DDoS) attack, and Sundance representatives assured that no artist or customer information was compromised. In addition to the online box office, many local businesses were hampered as they were forced to accept cash only, and most ATMs were also out from the attack.
While it remains unclear who carried out the cyberattack and what their motivations were, the hack on the film festival evidences the breadth of organizations that are susceptible to and targeted by hacks. Typically when we read these headlines, the attack has been carried out against a large corporation that houses massive amounts of user data or credentials that can be sold on the dark web, or offer some another bounty - monetary or otherwise. Examples of attack headlines in the past few years put Yahoo, Adobe, and Target in the middle of attacks targeting sensitive user and employee information. These reports would lead people to believe that hackers are only interested in similarly sized organizations whose data offers more value -- luring business owners and consumers into a false sense of security when it comes to cybersecurity.
Small to midsize businesses can easily fall victim to this mindset, assuming that no hacker would pay attention to their site when carrying out an account takeover attack or exploiting a code vulnerability, as there are many larger, seemingly more lucrative targets. However, the attack on the Sundance Film Festival, a nonprofit outlet for independent films unaffiliated with any major studios, would contradict this idea. Based on reports, the attackers gained little from this exploit, but it demonstrates clear security defects that could be disastrous for a similarly sized organization.
Moreover, it is not only direct attacks to a site and applications that need to be accounted for. If user credentials are stolen from the data breach of a different site, hackers can use bots to see if that same username and password can gain access to other sites; tangentially giving them access to your site if an employee or customer used the same information.
The attack on the Sundance Film Festival serves as a reminder that all organizations, no matter the size, can be the subjects of a hack and should implement cybersecurity measures to minimize the impact of such attacks as much as possible.