By Nelson Schneider - 06/12/21 at 04:20 PM CT
I don’t know if part of it’s just media spin and lumping a whole bunch of things together to make them look scarier and more epidemic than they actually are, but lately we’ve had nothing but bad news in spades. 2020 was the Year of COVID-19 and the Year of Police Brutality Complaints. Now, 2021 is rapidly shaping-up to be remembered as the Year of Ransomware, and Games Industry players aren’t immune.
Hot on the heels of a Serious Business report by “60 Minutes” (jump to the 16 minute mark) of Russian (and perhaps other foreign) criminal hackers installing ransomware on a broad swath of private American computer networks ranging from low level local governments to hospitals to petroleum pipelines, this week reports came to light that at least two of the biggest players in the Games Industry have been subject to similar attacks. And like the Serious Business outfits, nobody wants to report that they’ve been hacked so the government can possibly look into helping them do something about it.
According to reports surfacing now, almost in a Me-Too-esque fashion of one victim making it fashionable for other victims to come forward, it has been revealed that Triumvirate of Evil member, Electronic Arts, lost nearly a terabyte of data, while Our Boy, CD Projekt lost an undisclosed quantity of source code and private company data (allegedly no end user data, but we’ll see…).
These security breaches happened months ago, but we’re just hearing about them now. On top of that, both the EA and CD Projekt hacks reveal a disturbing willingness to combine old-school hacking with new-school ransomware on the part of the criminals involved, as, in both cases, the crooks put the data and source code up for auction.
The real irony here is that, even after the rash of Internet attacks on private networks a few years back – specifically, the infamous PSN incident – nobody who runs these companies, whether they provide essential services like hospitals and pipelines or whether they’re superfluous entertainment like game companies, has figured out that they need to dedicate more IT time and resources into separating their various network functions from each other.
Sure, I’m not an IT expert with a Ph.D. in system security, but it seems pretty obvious to me that if you have a computer system that controls a pipeline, it shouldn’t be connected to the Internet at large. Likewise, if you have an internal network where terabytes of hospital patient data are archived, that’s the type of thing that should only be accessible internally, not from any old outside IP. While it is true that, in at least some cases, ransomware is installed from within a private network using compromised credentials obtained through phishing, there are also numerous ransomware attacks that occur when low-level hackers buy/rent access to automated scripts that simply troll the Internet for vulnerabilities.
Perhaps it’s time for some of those oh-so-burdensome Government Regulations to step-in and mandate minimum levels of security for all corporations of at least a given minimum size. Of course, this type of regulation is highly detrimental to small businesses that literally can’t afford it, but then, these businesses are so small that they generally don’t hold enough data or ransom money to make them appealing targets. Oh, to live in a rational world!
