IWD 2024: Expert security insight from within the gaming industry
Can you name a notable example of a security incident in the industry, and what we learned from it?
There have been many high-profile security incidents in the industry in recent years, including hacks, leaks and piracy. One notable example was the ransomware attack on CD Projekt Red (CDPR), which saw some of its assets frozen and exfiltrated. What's interesting about this incident is that CDPR did not cooperate with the hackers but instead refused the ransom demands. According to Statistica, in 2023, nearly 73 percent of companies worldwide complied with ransom demands.
It is difficult to say definitively why CDPR took this approach, but it does show confidence in its security and crisis precautions.
Regardless of how CDPR resolved this ransomware attack, there are a couple of things other companies can learn. One of them is the importance of maintaining IT systems, having security, firewalls and robust backup and recovery solutions.
Ransomware and similar types of crises can occur at any time. While all companies hope it doesn't happen to them, all should have crisis management plans to avoid scrambling to respond in the worst-case scenario.
What are the common attack types and routes of entry in the video games industry?
Hackers can infiltrate video games in a variety of ways. They can reverse engineer code and use arbitrary code execution to enter a system. Other common types of attacks include social engineering, in-game phishing, botting, game state manipulation, MIM attacks, DDOS, and user account hacking.
Some of the most popular gaming companies on the planet have been on the receiving end of these attacks. In 2022, Rockstar experienced a hack through social engineering where an attacker gained access to its Slack account and leaked content for GTA VI.
How specifically are video game companies exposed – what's different versus other industries and the wider economy?
According to research from Akamai, web application attacks were up 167% year-on-year from May 2021 to April 2022. These types of attacks can exploit vulnerabilities in online channels like mobile games.
One of the differences between gaming and other forms of technology is the level of exposure and attack vectors that are accessible. For example, most gamers link their gaming accounts to their banks to access features and games, which can be an added vulnerability if their payment method has little to no fraud protection. Furthermore, gamers can spend hours on games in a day. Being so deeply immersed in gameplay, they are less likely to be alert to cyber security risks and so will lower their guard.
What are the main motivations behind cyber attacks in the gaming sector?
The motivations for cyber attacks can vary. It could be anything from an 'ethical' disagreement to financial compensation. For example, going back to the CD Projekt Red case of 2021, it was speculated that it could have been a response to CDPR's failure to fulfil the promises and expectations of their fanbase. It could have also been an attempt to take advantage of CDPR's weaker public image at the time, thinking they might have been more willing to pay the ransom to avoid any further backlash.
There is also the question of data, as nowadays games and game companies manage enormous amounts of data. On a gamer level, player data is valuable and can be a traded commodity amongst gamers. A highly 'levelled up' player/account with hundreds of hours of gameplay or a large investment in micro-transactions has a significant cache. Gamers can use such accounts, frequently created using automated bots, for bragging rights or to sell them for a profit.
From a corporate perspective, gaming companies keep massive amounts of critical user data, from personal to financial data, which is highly sought after and valued. Hackers can attack large companies to access data that can be sold for profit or used for other nefarious schemes.
Which types of companies in the broader gaming industry are more exposed than others? (within gaming)
The average hacker is likely to want some form of financial compensation, so AAA games or games that involve in-game transactions are popular targets. This is particularly true for games that allow players to convert money or use fiat currencies. Smaller companies might sometimes also be a target, as they might have made less investment into security.
Franchises with weak digital rights management (DRMs) are another prime target for attack. DRMs confirm that games have been made by a person or firm through legitimate means. Without a strong DRM, games can be bypassed or pirated, which can leave players in a compromised position.
What are the consequences of cyber attacks for game companies? Does the consequence depend on the nature of the attack?
To a certain extent, the consequences depend on the nature of the attack. For example, when new gaming features are leaked, the risk is that fans know of new features earlier and competitors could release similar features. This type of attack is unpleasant, but companies can bounce back as it is more of a marketing challenge. That said, depending on the content that is leaked, it could become a financial/sales nightmare. For example, leaks can contain unpolished or even scrapped features of the game, which can lead to public disapproval and a loss of interest from gamers.
When company or user data is stolen, the risks are higher. Famously, in 2011, Playstation Network (PSN) experienced an external intrusion that resulted in approximately 77 million accounts being compromised and resulted in class action lawsuits. These types of attacks can come with large financial costs, reduce public trust and negatively affect the reputation of the company - not only with investors, but with users, fans, and staff. Once trust is lost, it is incredibly difficult to rebuild.
What's one (or two) things not enough game companies do that they should be doing?
Many companies do not thoroughly investigate their networks and defences. There are a lot of talented cybersecurity professionals within companies that can test for weaknesses in the system. For example, cybersecurity teams can employ a 'red team' vs 'blue team' approach in which the red team simulates attacks against the blue team to test the effectiveness of the company's defences. These exercises can reveal gaps in the security of the network and help teams better handle real threats.
Another process that can fall by the wayside is third-party security audits. External teams can go into gaming company systems with fresh perspectives and challenge norms that have been accepted by employees and potentially uncover anything that has possibly been overlooked.
Beyond just adopting new products, what measures can games companies take to avoid these consequences (including internal practices and attitude shifts)?
One of the easiest things companies can do is to improve the security measures and best practices with all employees. It can be tedious, but using strong passwords, changing passwords regularly, using multi-factor authentication, and ensuring software is fully patched are all actions that can reduce the likelihood of a cyber attack. Most employees get so consumed by the day-to-day activities that simple cyber security protocols can fall by the wayside.
In terms of attitude, many people across technology verticals view cybersecurity as an afterthought. Instead, developers should work to integrate their creative ideas with security measures.
Ultimately, gaming companies must remember that it is easier and safer to be over-prepared than to be underprepared. The damage from cybersecurity attacks can be difficult to repair, and in some cases, the trust of the consumer may be lost forever.