An entertainment landscape dominated by streaming services has plenty to trouble customers, not least of all rising prices and massive consolidation. These goliath platforms are also equally huge repositories of personal customer data, millions of users worldwide entering all sorts of sensitive information to be stored and utilized. The latest breach of such data comes courtesy of Crunchyroll, the predominant overseas platform for streaming Japanese anime, a joint operation between Sony in the US and Aniplex in Japan.
As a service that surpassed 17 million users last year, it clearly reflects the medium’s explosive growth in popularity. Unfortunately, it also provides yet another target for cyber criminals eager to exploit vulnerable personal data.
According to reports, the self-professed culprit stole over 100 GB of user data after accessing the streaming site’s Zendesk support system run by Crunchyroll’s outsourcing partner Telus Digital. By hacking an employee of this third party, the in/exfiltrator was able to socially engineer their way into the network. In they slipped, the malware was deployed, email addresses, IP addresses, credit card details and more pilfered, and the mega breach successful. Crunchyroll soon confirmed the breach and announced an investigation, which is still ongoing.
In such instances, it’s crucial to remember the importance of encrypting sensitive data so it becomes unusable when hackers reach their target. To quote our CTO here at NetLib Security, David Stonehill, “Locking applications to specific machines, users, and network contexts ensures that even if encrypted files are exfiltrated, they remain inert outside their intended environment.” Added to that is the evolving AI-threat landscape. Encryption, properly implemented, remains one of the few controls that doesn’t rely on predicting attacker behavior. It simply removes the payoff. And in an AI-driven world, reducing the payoff is how you change the game.
Of course, Crunchyroll is no stranger to data security incidents, being subject to a class action suit earlier this year over unauthorized sharing of certain user data with third parties. Nor is parent company Sony. We all remember the hack of Sony Pictures back in 2014, when North Korean hackers stole personal employee data, Social Security numbers, screenplays and other internal information, while also deploying malware to shut down the entire network. Meanwhile, just last year in 2025, Sony was subjected to a hack of their Playstation Network that affected millions of accounts, forced more downtime for two weeks, and resulted in further financial and reputational damage. Over 70 million accounts were hit, for such data including emails, passwords and payment details.
This span of many years continues to illustrate the risks inherent in something as simplistic but ubiquitous as streaming, and how crucial it is for these data handlers to protect it. Even though some of the Playstation user data was encrypted, not all was, and the encryption wasn’t strong enough to prevent decryption. By now it’s inexcusable for a company not to keep its sensitive data as locked down as possible, or not ensure their third-party associates implement reasonable security safeguards.