Arts, Entertainment and Recreation
NAICS 71

  • Resumen

    The Use of stolen credentials, Phishing and Ransomware continue to play big roles in this industry. Compromised Medical information was seen at an unexpectedly high level as well.


    Frequency

    7,065 incidents, 109 with confirmed data disclosure


    Top Patterns

    System Intrusion, Basic Web Application Attacks, and Miscellaneous Errors represent 83% of breaches


    Threat Actors

    External (70%), Internal (31%), Multiple (1%) (breaches)


    Actor Motives

    Financial (100%) (breaches)


    Data compromised

    Personal (83%), Credentials (32%), Medical (26%), Other (18%) (breaches)


    Top IG1 Protective Controls

    Security Awareness and Skills Training (14), Secure Configuration of Enterprise Assets and Software (4), Access Control Management (6)


  • While the way in which we consumed entertainment changed this year, hopefully temporarily, attackers continued to follow the same winning combination that they’ve been using for the last few years in this industry. Namely, targeting web applications and utilizing malware to its fullest extent. And of course, there was the occasional human blunder that serves to keep life interesting.

    System Intrusion, Web Applications and Errors are more or less tied for the top ranking. Their combined weight accounts for 83% of the breaches in this sector. This is in line with the trend set in previous years, and what we saw in last year’s report (Figure 99). With that in mind, it is perhaps only to be expected that action types such as the Use of stolen credentials, Ransomware, Phishing and Misconfiguration were responsible for most breaches (Figure 100).

  • Figure
  • Figure
  • What was a bit surprising was the high level of Medical information breached in this sector. One would typically associate medical record loss with the Healthcare industry. However, upon digging into the data a bit more, the Personal Health Information (PHI) was related to athletic programs, which fall under this vertical. It is possible the medical nature of the data was unclear, and so the worst case, (medical rather than just personal) data was reported. Still, this reveals an important lesson: Don’t assume that because your organization is not in the medical field that you don’t possess medical data (or that you don’t have a duty to ensure that it is protected appropriately). 

    From an incident point of view, DDoS attacks were once again quite high this year. This is potentially due to the gambling websites that also reside in this sector. Therefore, if you are operating an online gambling platform the safe bet is to plan for DDoS, because the house always needs to win.

Let's get started.