Incident Of The Week: Zynga Security Breach Affects 170 Million User Accounts
Lessons On Enterprise Disclosure Of A Data Incident
Add bookmarkZynga, a successful mobile game company with titles like "FarmVille," "Mafia Wars" and "Cafe World," has become the target of a security breach.
What Happened?
A Pakistani hacker, who goes by the online alias Gnosticplayers, took responsibility for the attack, claiming he managed to breach "Words With Friends" and "Draw Something" to access the data of more than 200 million users. The same person made headlines previously for selling nearly a billion stolen records from 45 online services.
The attack affected all people who installed and signed up for "Words With Friends" on or before September 2nd, 2019. The stolen data includes names, emails, phone numbers, Facebook IDs and more. The hacker also exposed passwords for more than 7 million "Draw Something" users.
With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.
What was the Response Immediately?
Zynga admitted to the data breach in a published statement, saying account information may have been illegally accessed. Fortunately, the attack contained no financial data. The company did not unveil the number of users affected. However, it identified account login information that hackers may have accessed.
See Related: Telling The Cautionary Tales Of Cyber Crime
Going forward, Zynga alleges it will protect accounts from invalid logins. The company will also contact impacted users following an investigation with law enforcement and third-party forensics teams. In some cases, the brand's apps may require users to change their passwords upon logging in.
According to the company, cyber-attacks are a reality of modern business. However, it plans to reaffirm the commitment to the security of player data and the community.
What is the Future of Cyber Security?
The need to protect user information on commerce sites and apps is more important than ever. Cyber-attacks occur every day, costing businesses an average of $4.9 mn per breach.
See Related: Quantifying The Enterprise Cost Of A Cyber Security Data Breach
While it is crucial to achieve compliance with government regulatory standards, such as the General Data Protection Regulation (GDPR), it is often not sufficient enough to ensure real security. While cyber liability insurance is available, premiums are significantly increasing in cost and do not cover all damages in the event of a breach.
Most incidents are preventable, with more than 60% of breaches originating from unauthorized access from an employee — current or former — or third-party supplier. Nevertheless, it can be nearly impossible to prevent an attack from an outlier. In the face of an incident, businesses need to be efficient and transparent in disclosure.
How to Announce a Breach?
The first thing organizations must do in the event of a breach is to secure physical areas, including locking up servers and changing access codes. They must also replace affected machines and update user credentials.
Businesses should have a communication plan in place to contact the affected parties. An effective strategy anticipates the questions people will ask and responds with plain-language answers. Information should be clear and easy to find, including on the brand's website and social media pages.
Legal requirements will vary by state and country. For example, most states in the U.S. have legislation requiring the notification of breaches involving personal information. Municipalities also require organizations to contact law enforcement and report the potential for identity theft.
See Related: The Full “Incident Of The Week” Log on Cyber Security Hub