Netflix Data Breaches: Full Timeline Through 2021

The most recent Netflix data breach happened in May 2019, when UpGuard discovered exposed data on servers belonging to Attunity, a data management firm. It is unclear how many Netflix users were affected by the breach. Since May 2019, there have been no known data breaches involving Netflix.

More recently, in September 2021 Netflix was fined for privacy violations by the government of South Korea. Below, we’ll go into the full history of Netflix data breaches, starting with the most recent.

October 2021: Employee Releases Confidential Information

In October 2021, the final show on Dave Chappelle’s current Netflix contract – The Closer – was released. There were some controversial moments in the stand-up special, some of which stirred a major backlash.

Along with members of the public, some Netflix employees condemned some of the material in the special. As the incident unfolded, a report by Bloomberg was published that contained commercially sensitive information. Details about how much Dave Chappelle was paid for specific specials was disclosed, along with other similar financial data relating to other Netflix shows.

The employee behind the leak was discovered – though not publicly identified – by Netflix. That employee was ultimately terminated for violating company policies due to the incident.

September 2021: Privacy Violation Costs Netflix $188,000

In September 2021, Netflix was fined $188,000 by the South Korean government – through the Personal Information Protection Commission (PIPS) –  for privacy violations. The company had collected personal information on approximately 5 million individuals without obtaining proper consent.

There was also a $2,700 fine associated with failing to disclose the international transfer of the data related to the privacy issue. As the agency that levied the penalties continues to investigate possible privacy issues, other finds could be on the horizon.

February 2021: COMB Compilation Includes Netflix Passwords

In February 2021, the Compilation of Many Breaches, or COMB, was leaked to a hacker forum. This data leak included login credentials for over 3.2 billion accounts across multiple websites, including Netflix, LinkedIn, Gmail, and Yahoo.

This was not a unique data breach in itself, but rather a compilation of data exposed in previous breaches. Netflix claims it has never been hacked, and it’s very possible the Netflix passwords were exposed from other services: if a user reuses the same password for multiple services, one breach can expose them across multiple websites.

May 2019: Contractor Exposes Netflix Data

Attunity – a data management firm now owned by Qlik – failed to properly secure backup data, exposing sensitive information on a range of companies, including Netflix. The issue was discovered when UpGuard explored potential vulnerabilities associated with Amazon S3 Storage Buckets. They found publicly accessible files that contained Netflix database authentication strings.

Other companies impacted during the incident included TD Bank and Ford. After Qlik was made aware of the issue, they applied new security standards.

April 2017: Unaired Episodes of Orange Is the New Black Stolen

In April 2017, a hacker or hacker group operating under the name thedarkoverlord acquired unaired episodes of the popular Netflix series Orange Is the New Black and held them for ransom. The hacker threatened to release the episodes if they weren’t compensated.

Ultimately, Netflix chose not to pay the ransom. Shortly, the unaired episodes made their way onto The Pirate Bay, a BitTorrent site.

Technically, the episodes were stolen from Larson Studios, a post-production company connected with the show. However, the incident did involve a Netflix property, making it worthy of the list.

2006: Netflix Exposes User Viewing History

Back in 2006, Netflix released movie ratings as part of a contest in the form of a tech challenge, asking outsiders to develop predictive movie rating algorithms that outperformed what Netflix had in place. While the data was supposed to be anonymized, University of Texas researchers were able to use the data to identify users and reveal larger viewing histories.

While the incident was primarily considered harmless, that doesn’t mean there wasn’t a backlash. When Netflix tried to conduct a similar kind of contest – this time including additional subscriber details like age, gender, and zip code – the company was sued. Netflix ultimately didn’t move forward with the second contest and also settled the lawsuit.

Leave a Comment