The CD Projekt Group has had a bad six months.
In December, the video game company launched its much-anticipated Cyberpunk 2077 with significant bugs, especially on non-PC systems, leading to viral memes and some scathing reviews. In February, as it struggled to fix extensive flaws in the game, hackers stole source code and encrypted data, demanding that the company "come to an agreement." And last month, CD Projekt revealed its internal data — including details on current and former employees and contractors — is now circulating on the Internet.
The company is working with European and international police, as well as investigators in its home country of Poland, it said in a statement posted to Twitter.
"We would also like to state that — regardless of the authenticity of the data being circulated — we will do everything in our power to protect the privacy of our employees, as well as all other involved parties," the company said. "We are committed and prepared to take action against parties sharing the stolen data."
Such incidents are not isolated. In June, Electronic Arts revealed it was investigating claims that its software and data were being sold on underground forums. Overall, application and Web attacks on gaming companies have risen 340% in 2020 compared to the previous year, according to a report released last week by network services and security firm Akamai. While gaming companies may have additional drama from a dedicated fanbase that also includes hackers, the attacks are, in most ways, no different than what other industries experience daily.
There are lessons to be learned from criminals' efforts against the gaming industry, especially as more companies move to the cloud and enterprise infrastructure increasingly resembles gaming infrastructure, says Steve Ragan, security researcher at Akamai.
"Everyone is trying to get more into the cloud, and it's not just gaming companies," he says. "Almost every company is doing more hosted access to the end user."
As cloud infrastructure, greater mobile access, and zero-trust frameworks become prevalent across organizations, the gaming industry has some lessons to share.
Shift to Mobile Shifts Security Risk
Mobile has become the dominant platform in gaming, accounting for 35% of the $151 billion in annual gaming revenue in the United States and more globally. "Young people who do not have access to a console or PC are playing competitively on mobile devices," says Ryan Lloyd, chief product officer at mobile application security firm GuardSquare. "In the rest of the world, mobile devices are the platform of choice."
Companies outside the gaming industry should take note, because the applications that businesses rely on look increasingly like gaming infrastructure. The cloud-native approach to mobile applications is growing common for consumer and business applications as well.
This makes the applications and backend cloud infrastructure targets, says Lloyd.
"The device is less a target of attack, because attackers are more focused on the app," he says. "Because it [is] an issue of scale — if you compromise the app, you can affect a lot more devices."
Know Your Customer
There is a love-hate relationship between many gamers and companies that make the worlds in which they play. And these emotions often drive attacks.
The gaming industry, for example, is the most common target of distributed denial-of-service (DDoS) attacks. While such attacks dropped by 20% in 2020, the gaming industry bore the brunt of them, as they typically do every year. Driven by gamers trying to gain advantage over other players, or to punish the gaming company, DDoS attacks against gaming infrastructure accounted for 46% of all distributed denial-of-service attacks, according to Akamai's Gaming in a Pandemic report.
"Gamers do have a love-hate relationship with the companies," Akamai's Ragan says. "They will get excited about the games, and then they will turn right around and complain about everything ... many turn to attacks."
Companies need to know their customers because attackers have done their research. Cybercriminals consistently target gaming accounts of the most popular games, keeping track of when specific events occur to exploit potentially chaotic transitions, he says.
"Criminals know what games are hot — they pay attention to the lifecycles in the gaming industry," Ragan says. "If you look at the peaks, they correspond to patch-release days, updates to various games, and new game drops."
The technique is common, and companies need to be wary that maintenance times are popular times to attack as well.
Poor Security Decisions Put Companies at Risk
Gaming companies must give players as many protections as possible because in many cases, users — whether consumers or employees — make potentially dangerous decisions without considering security. Users regularly download free clones of games or applications to cheat at their favorite games, and these often come with unwanted features or security exploits.
Twelve of the top 25 paid iOS games have free-to-play hacks and 10 of the top 25 games had cheats available, according to Guardsquare.
Employees are consumers too. The increase of people working from home likely means more are installing questionable software, Lloyd says.
"Bring-your-own-device policy enables people to install whatever on their mobile devices — that's even true of laptops," he says. "It's like the iceberg — whatever you are seeing, there is a lot more going beneath the surface."
Don't Just Authenticate, Educate
In a previous report released in September 2020, Akamai surveyed gamers and found more than half (55%) had an account stolen. Little wonder then, that nearly all (89%) used some form of multi-factor authentication and 30% used a password manager.
Multifactor authentication works, Ragan says, but customers and employees need to be educated on why it's necessary. Gaming companies effectively put the tradeoff in terms users understand, and gamers have heard enough stories of stolen accounts to take the threat seriously, he adds.
"Criminals get really frustrated when they can't use a basic username and password to get into an account, and they move on," he says. "It works, but you have to enforce it and educate your users, tell them why it is there."
In the end, companies need to treat their employees and customers like game makers treat gamers: they are valuable, a source of vulnerability, and committed enough to go rogue if they are unhappy with the business. Educating workers and reaching out to customers can lead to a more secure outcome.
"There is a lot of front-end education toward the players, teach them the value of multi-factor authentication, why not to reuse passwords, and how to spot phishing attacks," Ragan says. "If you do it right, criminals will have to move on."