It’s been a little more than a decade since the Sony hack exposed the email inboxes of top executives and led to multiple full movies being dropped into the public domain. The incident highlighted cybersecurity as one of Hollywood’s Achilles’ heels, but not much has been done to protect the industry since, a new report claims.

Just last week, a full version of “The Legend of Aang: The Last Airbender” was leaked online by a fan, allegedly frustrated by Paramount’s decision to only release the film on its streaming platform.

The animated film cost Paramount around $80 million to make, so the breach is a serious blow for the studio.

More importantly, major Hollywood players still seem incapable of learning their lesson and protecting their systems better, according to a new report by the British cybersecurity firm Red Sift.

The company’s analysis found that the US entertainment industry, particularly TV and movie studios, remains as vulnerable as ever to a state-sponsored cyber breach, and unsurprisingly, these leaks keep coming.

It’s hard to forget the infamous 2014 incident when a threat actor dubbed Guardians of Peace (now better known as the North Korean state-sponsored Lazarus Group) wreaked havoc on Sony Pictures.

The hackers were able to access previously unreleased films, scripts for certain films, plans for future films, information about executive salaries at the company, emails, and the personal information of around 4,000 employees. Large amounts of data were slowly leaked in the days following the cyberattack.

In late 2016, another hacker group, TheDarkOverlord, stole a full season of Netflix’s “Orange Is the New Black” and demanded a ransom, which was ignored. Months later, the actor leaked his bounty.

In 2017, hacker “Mr. Smith” infiltrated HBO and stole a script summary of an unaired “Game of Thrones” episode as well as upcoming episodes of “Ballers,” “Insecure,” and “Room 104.” The hacker, later determined to have been working for Iran’s government, demanded $5-7 million.

Last year, a California man pleaded guilty to hacking Disney via a fake AI platform that promised to generate AI art and stealing 1.1TB of company data.

In short, there’s definitely a pattern. But not much is changing, Red Sift says.

True, across California’s largest organizations, brand security adoption appears strong on the surface, with 99% maintaining valid email authentication records and 73% actively enforcing protections that block or limit spoofed messages.

However, the entertainment sector emerges as a weak point, with 71% of TV and movie studios operating with no enforcement at all, leaving them highly vulnerable to impersonation, credential theft, and disruption-driven phishing attacks, the report claims.

More than two-thirds of major Hollywood studios could be impersonated instantly via email, with no hacking required.

In other words, even AI-powered impersonations wouldn’t be needed: more than two-thirds of major studios could be impersonated instantly via email, with no hacking required. Universal is the only studio that actively blocks spoofed or malicious emails.

In a coordinated cyber incident, these gaps could enable attackers to impersonate executives, fake production or payroll communications, leak content, or undermine consumer trust at scale.

“Hollywood still hasn’t internalized the lesson of the 2014 Sony hack. Today, more than 70% of major studios are leaving email wide open to impersonation, despite years of targeting by state‑linked actors and hacktivists,” says Brian Westnedge, director of partnerships at Red Sift.

“As streaming platforms expand, this brand exposure is only getting bigger. Email spoofing is how attackers move fast, from fake executive messages to real operational damage, data leaks, and lasting reputational harm, and any large, trusted brand with weak security controls is just as exposed.”

---

Unlock more exclusive Cybernews content on YouTube.