Incident Of The Week: Zynga Security Breach Affects 170 Million User Accounts
Lessons On Enterprise Disclosure Of A Data Incident
Zynga, a successful mobile game company with titles like "FarmVille," "Mafia Wars" and "Cafe World," has become the target of a security breach.
A Pakistani hacker, who goes by the online alias Gnosticplayers, took responsibility for the attack, claiming he managed to breach "Words With Friends" and "Draw Something" to access the data of more than 200 million users. The same person made headlines previously for selling nearly a billion stolen records from 45 online services.
The attack affected all people who installed and signed up for "Words With Friends" on or before September 2nd, 2019. The stolen data includes names, emails, phone numbers, Facebook IDs and more. The hacker also exposed passwords for more than 7 million "Draw Something" users.
A Swift Response
Zynga admitted to the data breach in a published statement, saying account information may have been illegally accessed. Fortunately, the attack contained no financial data. The company didn't unveil the number of users affected. However, it identified account login information that hackers may have accessed.
See Related: Telling The Cautionary Tales Of Cyber Crime
Going forward, Zynga alleges it will protect accounts from invalid logins. The company will also contact impacted users following an investigation with law enforcement and third-party forensics teams. In some cases, the brand's apps may require users to change their passwords upon logging in.
According to the company, cyber-attacks are a reality of modern business. However, it plans to reaffirm the commitment to the security of player data and the community.
The Future of Cyber Security
The need to protect user information on commerce sites and apps is more important than ever. Cyber-attacks occur every day, costing businesses an average of $4.9 million per breach.
While it's crucial to achieve compliance with government regulatory standards, such as the General Data Protection Regulation (GDPR), it's often not sufficient enough to ensure real security. While cyber liability insurance is available, premiums are significantly increasing in cost and do not cover all damages in the event of a breach.
Most incidents are preventable, with more than 60% of breaches originating from unauthorized access from an employee — current or former — or third-party supplier. Nevertheless, it can be nearly impossible to prevent an attack from an outlier. In the face of an incident, businesses need to be efficient and transparent in disclosure.
Announcing a Breach
The first thing organizations must do in the event of a breach is to secure physical areas, including locking up servers and changing access codes. They must also replace affected machines and update user credentials.
Businesses should have a communication plan in place to contact the affected parties. An effective strategy anticipates the questions people will ask and responds with plain-language answers. Information should be clear and easy to find, including on the brand's website and social media pages.
Legal requirements will vary by state and country. For example, most states in the U.S. have legislation requiring the notification of breaches involving personal information. Municipalities also require organizations to contact law enforcement and report the potential for identity theft.