Activision data breach exposes employee and game information

Data breach occurred in December 2022

Activision, a game development giant, suffered a data breach in early December 2022. The hackers, who gained access to the company's internal systems by tricking an employee with an SMS phishing text, were able to exfiltrate sensitive workplace documents, including employee information and content release schedules until November 17, 2023.

Activision claims that no sensitive employee data, game code, or player data was accessed and that the incident was resolved quickly. However, security researchers at vx-underground^[1] claim that the hackers gained access to the Slack account of an Activision employee on December 2 and tried to trick other employees into clicking malicious links.

Commonly hackers target particular industries and professionals in fields like technology and cybersecurity. Employees are needed for social engineering attacks and further injections, attacks that cybercriminals plan. These methods involve even advertising for particular tools that professionals use and seek to get. Stay cautious.

Personal information of employees allegedly leaked

Although Activision has yet to inform its employees of the data breach, some of whom may have had their data stolen, vx-underground verified the legitimacy of the data breach. According to security researchers, employee information obtained includes full names, corporate emails and phone numbers, job opening offer amounts, places of work, and more.

It is said that the hack was limited to that one employee's computer, but given the responsibilities given to an HR employee, the computer contained employee details of all Activision employees. However, Activision claims that no player/user data has been compromised.^[2]

The security of our data is paramount, and we have comprehensive information security protocols in place to ensure its confidentiality. On December 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it. Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed.

The breach has also revealed plans for Modern Warfare II's upcoming DLCs, Call of Duty 2023 (Codenamed Jupiter) and Call of Duty 2024 (Codenamed Cerberus).^[3] The leaked information was based on marketing materials, and the development environment was not affected by the breach. While some of the information obtained by Activision may be outdated now, the breach is still significant as employee data, and release schedules were exposed.

Activision claims no sensitive information was stolen

Activision is headquartered in California, where a data breach notification law requires companies to notify victims of data breaches when 500 or more state residents are affected. The law defines “personal information” to include Social Security numbers, other forms of ID such as driver's license numbers, California ID cards, tax identification numbers, passport numbers, military identification numbers, or other unique identification numbers issued on a government document commonly used to verify the identity of a specific individual, medical and health insurance data, credit card numbers, and biometric and genetic data.

Activision's spokesperson has stated that there are no requirements for a company to notify when there is no evidence of sensitive data access. However, given that the breach exposed employee information, including full names and corporate email addresses, Activision may need to notify its employees and regulators of the breach. The company is also in the process of being acquired by Microsoft in a deal valued at $68.7 billion, which may complicate matters further.

Activision has yet to notify its employees of the breach, which could be problematic if their data was stolen. The company may also need to notify regulators of the breach, given that it exposed employee data. This breach is a reminder of the importance of cybersecurity measures and the need for companies to take data breaches seriously.