Activision Failed to Notify Staff of December Data Breach

Activision has confirmed that it suffered a major data breach in December 2020 after hackers infiltrated internal systems through SMS Phishing texts targeted at staff. 

The video game maker said that the attack allowed hackers to gain access to internal systems, but did not compromise game source code or player information. 

“On December 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it. Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed,” Activation said in a statement. 

Despite Activision’s claim that no data sensitive data had been compromised, cybersecurity and malware research group Vx-underground allege that the threat actor "exfiltrated sensitive workplace documents'' as well the content release schedule until November 17 2023. 

Before Activison released its statement, the research group posted screenshots of the stolen data on Twitter, as well as several of the hackers’ messages on Activion’s internal Slack channel. 

The stolen data, according to the research group, includes plans for future video games, as well as sensitive employee information including names, phone numbers, salaries and places of employment. 

Video game publication Insider Gaming has obtained and examined the entire leak, reporting that the data contains full names, email addresses, phone numbers, salaries, work locations, and other employee details, after obtaining “the entirety” of the stolen data. 

The publication believes that the hacked staff member was from the Human Resources department, giving them access to vast amounts of sensitive employee information.

Too little, too late 

Despite the potential severity of the attack, Activision failed to inform the public of the attack until after Vx-underground posted evidence of the breached data online last weekend. 

.@Activision was breached December 4th, 2022. The Threat Actors successfully phished a privileged user on the network. They exfiltrated sensitive workplace documents as well as scheduled to-be-released content dating to November 17th, 2023.

Activision did not tell anyone. pic.twitter.com/urD64iIlC5

— vx-underground (@vxunderground) February 20, 2023

But the public weren’t the only people surprised by the news. The game publisher is reportedly still yet to notify its staff of the attack’s occurrence even though their personal information is reported to have been accessed by the hackers.

Speaking to TechCrunch, one employee, who chose to stay anonymous, said “This is a problem. If there is employee’s information involved, they should have disclosed the breach.” 

Activision, which publishes household names such as Call of Duty and World of Warcraft, is headquartered in California. 

The US state has a data breach notification law that requires companies to inform victims of data breaches when more than 500 or more residents are affected. 

The law defines personal information to include Social Security numbers; other forms of ID such as driver’s license number; California ID cards; as well as residents’ “tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.”

The video game industry’s fight with Cybercrime 

Activision is just the latest victim in a series of attacks against video game developers. Last month, Riot Games disclosed a breach that allowed hackers to access the company’s “development environment,” allowing them to steal source code on multiple popular games from the developer.  

Meanwhile, in September, hackers published unreleased footage from the upcoming Grand Theft Auto VI, obtained through a hack that developer Rockstar Games said allowed the threat actors to access “confidential information from our systems, including early development footage from the next Grand Theft Auto.”

To learn more about cybercrime visit our dedicated Business Continuity Page. 

“Over the past twelve months we’ve seen cybercriminals set their sights on the gaming industry, and Activision appears to be the latest in a growing line of victims, said Teppo Halonen, Regional Director for Northern Europe Vectra. 

“Gaming today relies on cloud technology, to help users play anywhere in the world – meaning more devices, more users, and a larger attack surface.” 

“Whether attackers are going after stolen source code from unreleased games or customers’ personal information – with such a huge user base, there are massive amounts of sensitive data at risk” he added.

Another blunder in the Microsoft acquisition   

The breach arrives at an unfortunate time for Activision, which is currently in the process of being acquired by Microsoft for nearly £56.8 billion. 

US and EU regulators have already raised their concerns about the deal due to concerns that it “may reduce competition in the games markets,” and give Microsoft an unfair monopoly on the markets and a dangerous advantage against its competitors. 

Microsoft is currently defending the acquisition with EU regulators in Brussels this week as it attempts to persuade Sony, Google and Nvidia to agree to the deal.

I Try To Not Talk About The Activision Acquisition Recently But These Microsoft Executives (Microsoft's President Holding Sony 10 Year Call Of Duty Deal)

I Have Never Witnessed A Company Like Microsoft Ever

What They Have Said About This Deal It, And Continue To Show And Do😂👇 pic.twitter.com/wYAi2Pvbds

— @Zuby_Tech (@Zuby_Tech) February 21, 2023

It is unclear if the data breach will be mentioned in the hearing, but it is yet another complication in Microsoft’s years-long battle for the company.