(Image source: Kline, 2012)
One-sentence summary:
Activision confirms it suffered a December 2022 breach via social engineering, resulting in the leak of company and potentially sensitive information.
Who was involved?
Activision HR employee, Activision, and threat actor.
What was the timeline?
December 4, 2022: Attacker successfully Smishes an Activision HR employee and gains initial access. Incident response “swiftly” follows (Toulas, 2023, para. 3).
February 20, 2023: Vx-underground tweets screenshots of the breach.
February 21, 2023: Online media outlets contact Activision, and they confirm they had a data breach.
What occurred?
In December of 2022, an Activision HR employee was Smished by a threat actor, who gained access to their Slack and began an internal spearphishing campaign (Toulas, 2023, paras. 1, 5). The adversary “exfiltrated sensitive work place documents” before the incident was “quickly resolved” (Toulas, 2023, paras. 3, 5; vx-underground, 2023). Per a third party, Insider Gaming, the data breached included “full names, email addresses, phone numbers, salaries, work locations, and other employee details” (Toulas, 2023, para. 6; Henderson, 2023, para. 3). However, an Activision representative maintains that “no sensitive employee data” was breached (Toulas, 2023, para. 3). Internal, non-public video game release information was also purported to be breached (Toulas, 2023, para. 8).
Estimated costs:
TBA.
Involved laws:
TBA or N/A.
Root cause:
Phishing: SMSing of HR employee (Toulas, 2023, para. 1).
Lessons learned:
SMS-based phishing (Smishing) is a growing threat outside of the secure mail gateway. Regular user awareness training is needed for all employees to combat this threat.
Example user awareness solutions:
Knowbe4 https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Proofpoint https://www.proofpoint.com/us/products/security-awareness-training
Sources:
Henderson, T. (2023, February 22). Activision Data Breach Contains Employee Details, Call of Duty’s Future, and More. Insider Gaming. Retrieved February 27, 2023, from https://insider-gaming.com/activision-data-breach/
Kline, D. (2012, June 7). E3 Expo 2012 – Activision booth Transformers. flickr.com. https://www.flickr.com/photos/popculturegeek/7641131138
Toulas, B. (2023, February 21). Activision confirms data breach exposing employee and game info. BleepingComputer. Retrieved February 27, 2023, from https://www.bleepingcomputer.com/news/security/activision-confirms-data-breach-exposing-employee-and-game-info/
vx-underground. (2023, February 20). vx-underground on. Twitter. Retrieved February 27, 2023, from https://twitter.com/vxunderground/status/1627477748359872513