Published: March 15, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
Zynga Inc., developers of popular mobile gaming platforms, reported a breach that compromised the data of over 200 million of its users. Fans of Words With Friends had their names, emails, phone numbers, and Facebook ID’s stolen among other personally identifiable information (PII). The hacker also exposed the passwords of more than seven million Draw Something users. Zynga claims no financial data was accessed. In an unusual twist, the hacker behind the breach let the world know he was responsible for the crime. Going by the online name Gnosticplayers, the prolific Pakistani hacker previously heisted one billion records from 45 online services.
With data breaches becoming the norm instead of the exception, Zynga was quick to acknowledge the hack, saying “The security of our player data is extremely important to us. We have worked hard to address this matter and remain committed to supporting our community.” The transparent approach included fast action and public announcement. The current playbook for many breaches is to keep them quiet as long as possible before letting those affected know their data has been breached. When a company stays quiet about data theft, untold damage can be done while a customer has no idea their PII was stolen.
Zynga says going forward, it will protect accounts from invalid logins. They are also committed to working with law enforcement and forensic teams regarding the breach. In the meantime, there are recommended protocols that any enterprise caught in a data breach should follow. In the face of a security breach, businesses need to be responsible by acting quickly and transparently with public disclosure. Having a response plan already in place in the event of a data breach can provide the roadmap to a quick response. Update these plans regularly, being sure to add or remove those with responsibilities in the plan who have joined or left the company.
Most security incidents are avoidable, with more than 60% happening due to employees and third-party suppliers. However, individuals also need to be vigilant about their own security measures by using unique, strong passwords for every account and not using accounts like Facebook and Google to sign in. Should a site with which another set of login credentials was used gets breached, the attacker could also get access to Facebook or Google, for example.
Businesses need to provide security necessary to quickly address a breach and avoid further damage. That should include securing physical areas of the company, locking down servers, changing access codes, and replacing affected machines and updating user credentials. A breach plan should also include quick and transparent communications to let those affected know as soon as possible. Posts on the company website as well as social media sites should be included in a response strategy. Awareness of the legal requirements regarding notification, depending on the state a business is in, should also be part of any security breach plan.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org