Even as the online game industry is on track to be worth $196 billion by 2022, its cybersecurity issues abound. The online game platforms, which include mobile, console and PC games, rely very heavily on connectivity and the cloud, making them very high-value targets for threat actors. Research shows that the online game industry suffered over 249 million web application attacks in 2020, a 340% spike from 2019. Threat actors will continue to leverage the cyber vulnerabilities in the industry to obtain some of its most highly valuable digital assets—game source codes and API keys.
Protecting such data requires a multi-layered security infrastructure that can deter unauthorized users at every turn and thus protecting the brand value for all stakeholders. One recent cyberattack that underscores the need for a layered, zero-trust approach to cybersecurity in the online game industry is the Electronic Arts data breach.
BRIEF OVERVIEW OF THE EA DATA BREACH
Using an EA employee’s authentication cookie that was purchased online, the threat actors were able to access the company’s internal Slack channel and replicate the employee’s account to access Slack data. They then used that account to ask IT support for a multi-factor authentication token to access to the EA repository where they were able to siphon the data. The 780 gigabytes of data that was stolen included the Frostbite source code, which powers Madden, FIFA and Battlefield video games and more. Although EA has downplayed the breach, stating that is was not a ransomware attack and that no gamer’s information has been leaked, relative ease with which threat actors were able to obtain the data that was stolen is alarming.
CYBERSECURITY VULNERABILITIES IN THE ONLINE GAME INDUSTRY
The online game industry has been ripe for cyberattacks for multiple reasons. Many developers and publishers prioritize reinforcing game source code to combat the production of unauthorized copies and pirated versions of games at the expense of securing the software from cyberattacks. Gamers may be reluctant to employ security measures, such as antivirus apps, because of the mistaken belief that the measures make their devices slower or lowers the frame rate. Both gamers and employees of online game companies are being actively targeted with social engineering attacks aimed at obtaining login information to gain initial access to a system. Another factor to consider is that the online game industry, which is relatively new compared to the other industries, does not have cybersecurity regulations and standards that are applied and enforced in other industries, such as those in the retail and financial industries.
PREVENTING ONLINE GAME DATA BREACHES
The application of fundamental and necessary cybersecurity solutions, some of which are noted here, could have prevented the EA data breach:
Cybersecurity-Minded Workplace Culture. There should be a workplace culture in which cybersecurity is an innate part of day-to-day operations and communications, whether it is taking place on an organizations intranet or on a collaboration platform like Slack. Creating such a culture entails frequent security education and training that can help employees become used to implementing cybersecurity best practices.
Zero Trust. A zero-trust approach to regulating access to sensitive digital data, one that assumes no connection, user or device is safe unless verified, should be a part of every online game platform. With the zero-trust approach in action, the IT support personnel would have been required to verify the identity of the party requesting the MFA token in multiple ways and then send the requested token in a way that only the authorized party would have been able to access, such as through that party’s email.
Data Encryption. Another essential part of preventing data breaches is the encryption of the data itself. In the case of the EA data breach, XSOC CORP solutions would have elevated security even more and make it more resistant to human error by providing the necessary layer of protection that would have kept the data, including the source code and the API keys, fully and efficiently encrypted with quantum-safe encryption. Also, access to the data also would have been properly regulated with inline resourced MFA that can only be created by the authorized user and becomes part of the cryptographically secure key material of the encryption key required to perform any decryption job and not a separate token that could be compromised. A token could not have been generated to be given to the unauthorized party. This means that only after the multiple authentication measures were applied would the data have been decrypted. There would have been no instance in which the threat actor have decipherable data that could have sold, publicized or used for ransom.
XSOC CORP SECURES DATA FOR THE ONLINE GAME INDUSTRY
Online game developers, publishers and distributors have to implement the cybersecurity solutions that make it impossible for malicious actors access their systems and data. At XSOC CORP, our hardened, optimized encryption can provide an at-source layer of impenetrable protection for digital data and valuable IP. Contact us today to learn easily you can integrate our award-winning cryptographic and encryption solutions into your existing system to protect your organization’s data.