When I read the data breach notification from Final Fantasy and Dragon Quest game producer Square Enix this morning I got to thinking that we've seen a lot of gaming services get cleaned out recently by hackers.
It's a trend that's been going on all year, ever since thieves hit the mother lode when they penetrated Sony's PlayStation and Online Entertainment networks. After Sony, we heard from Sega, Nintendo, Microsoft XBOX, Steam Network, and Nexon (Maple Story), and now Square Enix about their own data breaches.
So why has stealing data from gaming companies become such a focus area for attackers? Well, of course, it's because there's gold in them there hills.
In each of these attacks, it appears that the target was the same; information about the gamers who use the services. Usually this includes email addresses, personal info, and billing history. Sometimes they get passwords and credit card numbers too - but that data is almost always encrypted, hashed or otherwise reasonably protected. You might be asking yourself, what's the point?
Well, think about it. Gamers who have accounts on these services all share some common traits that make them prime targets for many types of scams. We know they all enjoy playing video games, and that they are enjoying those games while connected to the internet.
We know they all have the means to purchase gaming systems and games to run on those systems. We know that they are all comfortable with doing some business online. When you combine those common traits with the data on each gamer, you can quickly build a list of prime targets to scam out of some money, recruit into a botnet, etc.
I suspect these attacks are all about filling a sales pipeline of sorts. Finding the list of people who will be receptive to an offer to play a new version of a favorite game, or to download some customizations or cheat codes becomes a lot easier when you know who games, how much they game, how much they spend on gaming, and perhaps most importantly what specific games they enjoy.
It would hard for a sports gaming fan to ignore that offer to load up this year's stats for the players in their game. It would be hard for a fantasy gaming fan to bypass the offer of a new world to explore, or some new weapon or power that no other player has. With roughly 200 million gamer's info stolen this year alone, the crooks out there have a pretty large list of leads to follow up on.
If you are a gamer and you use any online gaming network or service, please be vigilant and cautious. Don't click on any offer that comes in via email, and don't go purchasing (or even signing up for) anything gaming related unless you are doing so direct from the software manufacturer or gaming network.
If you get some interesting offer over email that you can't resist following up on, you can still do that without clicking the link. If you're being offered some pre-release of a game or customizations, go to the game vendors website directly and look for the offer there.
If you don't see it, reach out to their support team and ask them about the offer you received. Do some homework and make sure you're not going to end up victimized before you let your excitement for a new/better gaming experience to get the best of you.
If you are a gaming company, it's time to turn the focus of your IT security efforts away from the network perimeter and start putting protections around the databases that house your customer information and intellectual property. There are plenty of great solutions out there that can detect misuse or suspicious access to sensitive information, and take action to immediately alert your incident response team to the situation while automatically stopping an attacker before your data starts to leave the network.
If you're not monitoring and controlling access to all of your sensitive databases 24/7, you are leaving yourself exposed to the same kind of attack that so many companies have fallen victim to this year.
It's yet another layer in your already complex security infrastructure for sure. But ask yourself, would a bank build a branch office without a vault to store the cash? Of course they wouldn't.
In your business, a lot of your cash equivalent assets are your data. Follow the bank's lead and put that cash in a vault by locking down your sensitive databases and making sure those databases are always used appropriately and only by those with authorization to use them.