How games companies can protect themselves from cyber attacks

Sign up for the GI Daily here to get the biggest news straight to your inbox

Conventional wisdom suggests it's a matter of when, not if, your business is targeted by cyber criminals.

Employees at Insomniac were left reeling from one of the most devastating hacks in gaming history, after a ransomware group posted 1.67 terabytes of data on the dark web. Last June, hackers hit Blizzard with a distributed denial of service (DDoS) attack, with players unable to access Diablo 4 for up to 12 hours. It follows "constant" cyber attacks against Stalker 2 developer GSC Game World, a ransomware attack against Riot, one against Ubisoft discovered in March 2022, and countless other examples.

As the video games industry continues to grow, so does it increasingly become a viable target. Whether it's for money, competitive advantage, or even politics, hackers target are bringing big names and AAA studios to their knees. Landmark Akami research published last year showed web application attacks on the games industry grew 167% between 2021 and 2022 – building on its previous work uncovering security risks in the games industry.

But this is just one example of an entry method. Indeed, developers, publishers, and others face risks and attack variants that businesses across the wider economy may not. They must contend with a variety of attack methods and take specific measures to ramp up their cyber security efforts before they become the victim of another headline-grabbing cyber attack.

This article explores the reasons behind cyber attacks on the games industry, the types of attacks games companies might face, and how to prevent them or minimise the impact.

• What makes the games industry uniquely exposed?
• Which games companies are more exposed than others?
• What are the common attack methods the industry faces?
• What are the consequences of a cyber attack?
• What should you do if you suffer a cyber attack?
• What measures should the industry take immediately?

What makes the games industry uniquely exposed?

Seeing the entire industry as a homogenous entity is a mistake, given there is such variation within it, not only by role in the broader supply chain but also by the size of the business. There are, however, unique risks games companies are exposed to.

Players are prime targets

"Imagine a platform that has millions of users spending money on skins or other character enhancements, and hackers gain access to their credit card data, the names and addresses of these individuals and their date of birth," says threat detection expert at SonicWall, Bobby Cornwell. "These hackers could then not only hold the game developer to ransom but also each individual account holder."

Will Richmond-Coggan, partner at Freeths, also points to "a self-selecting pool of victims" who are "probably more affluent than the average", especially when it comes to the volumes of microtransactions we see. "You're already looking at people who have a willingness to spend. You've got interactions which are entirely digital, which means that there's the ability to compromise different stages of the relationship in a way that bricks and mortar transactions are more challenging."

Games companies are tech-centric

Technology is also at the core of how the industry operates. Games companies are exposed to the same problems as other online entities, says Andrew Whaley, senior technical director at Promon, but there are differentiating threats. "When employees begin to work from home, attack vectors increase," he says. "[But] the gaming industry has a severe cracking problem, which quite frankly plagues the entire software industry.

"Security is very, very low on [developers'] list of priorities. When something needs to be ultra-optimised to hit a certain framerate, and so on, it becomes harder to be secure and get it out quickly"

Justin Cappos, NYU

"However, there are plenty of unique aspects to games cyber security such as anti-cheat mechanisms. Games often rely heavily on endpoint protection and application shielding to protect the game code, particularly from piracy but also from manipulation or cheats embedded into the client."

You can couple this with the fact games companies rely heavily on public and hybrid cloud platforms, according to Danwei Tran Luciani, interim VP of product at Detectify. "Unlike companies within industries that are further along in their adoption of cloud technologies, games companies are recruiting aggressively to recruit the talent needed to manage large and complex cloud systems."

Security has never been a key priority

While gaming companies are forward-thinking, security has always been overshadowed by other pressures, Justin Cappos, professor in the Computer Science and Engineering department and New York University (NYU), tells GamesIndustry.biz.

"The games industry runs on pretty thin margins, in general," he says. "Really, what causes a game to be successful or not are things like how fun the game is, quality of graphics, how quickly things get out. Security is very, very low on that list of priorities. When you have something that needs to be ultra-optimised to hit a certain number of frames per second, and so on, it just becomes harder and harder to have this be secure and get out quickly.

"If every game designer could just take 20 years to release their game, then they would have plenty of time to solve all these issues. But the reality of the business is that's not the case."

Promon's Whaley agrees, adding games are extremely performance-sensitive, with titles trying to push the boundaries of what's possible. "This is particularly observable in competitive multiplayer games, where any latency renders a game unplayable," he says. "As a result, the games sector, perhaps more than any other software industry, illustrates the classic compromise between security and performance. Achieving an optimal balance demands the highest quality work and constant innovation from app security vendors, anti-cheat vendors and games developers themselves."

Which games companies are more exposed than others?

Generally, our experts agree that companies developing, maintaining or curating online or mobile games tend to be more exposed than, say, those focusing on single-player experiences. Detectify's Luciani adds that organisations hosting several brands in more than one geography tend to be more exposed too.

"A small indie company will usually release only a couple of games on one or two platforms at a time," says Whaley. "For these companies, the worst thing that could happen is if the game gets cracked shortly after launch. Meanwhile, a larger company will quite likely have online components in its games."

Cappos elaborates on the threats facing these businesses specifically. "If you have a free-to-play MMORPG, then you're worried players abusing each other. If there are microtransactions in there, then you're worried about how some of those mechanics work and people grinding and selling accounts," he explains. It isn't just about being exposed, he continues, but the level of risk and impact.

"The impact of you putting an impossibly high score up on my favourite single-player game's world leaderboard is almost nothing. The impact of you getting my credit card information, installing ransomware on my machine and locking me out of my computer is really high. Or the impact of you breaking into a game company that stores some kind of credit card information, and taking those credit card databases out is really high. We don't want any of those things to happen. That's why focus needs to be in those areas."

Although many businesses in the space take their responsibilities extremely seriously, there's a category of operators, says Richmond-Coggan, that are either just really careless, or actually go out of their way to harvest data for ulterior purposes. This is particularly prevalent when you look at the mobile games scene.

"You have to be very careful there that what you're installing isn't actually going to be installing some spyware along with the game you've got for free, and you're not inviting the hacker into your yourself by installing that software," he warns. "Both Android and the iOS operating system are getting a lot better at embedding scrutiny of apps, but the reality is that it tends to be relatively easy for us to be circumvented."

What are the common attack methods the industry faces?

Given the diversity that exists in the games industry, and the different digital interfaces that businesses in this space use, the attack surface is extremely broad. There are, however, several common attack methods seen in the space.

Distributed denial of service (DDoS)

In multiplayer games, most attacks will be DDoS. This disrupts gameplay, leading to lost revenue and a loss in customer confidence, says SonicWall's Cornwell. This is a common approach to disrupting services, according to Whaley, and was made possible in the early 2000s when the industry first expanded into cloud gaming.

"This technique can be used to disrupt competitive multiplayer games and works by using multiple attack sources where devices bombard a target, overwhelming the network with unwanted traffic," he explains.

"Failing to provide a secure experience for players will erode trust, undermine in-game economies, and decrease sales"

Andrew Whaley, Promon

DDoS attacks are what Cornwell would describe as a "nuisance attack." No data is stolen, rather cyber criminals disrupt the platform to impact the bottom line. Residual effects, can also lead to a loss of users as they get frustrated, and move on to something else.

Vulnerabilities and misconfigurations

Outdated and weak security systems are highly prevalent within the industry, argues Luciani, which translates to vulnerabilities that are easy to exploit. "Many systems, whether they are home-built or incorporate newly acquired technologies, tend to be misconfigured, also presenting opportunities for attackers," she says.

"An unknown and unprotected attack surface is typically the route of many attacks that lead to major security incidents: it could be an expired SSL certificate, an unknown subdomain that has been taken over, or cross-site scripting in a website."

Breaches can also happen through backdoor malware that may have been embedded in open source code that developers used.

Database vulnerabilities and credential stuffing

Many businesses across the industry use structured query language (SQL) to establish and maintain databases. SQL injection "involves bad actors exploiting vulnerabilities within a game to then inject hostile code", says Whaley. "From there, hackers can pilfer login credentials, card details or even access players' accounts and inventories."

Credential stuffing attacks normally follow, in which cyber criminals use the credentials they've taken to brute force access to users' other online accounts – such as social media.

MITM and server exploitation

Also known as wall hacks, man-in-the-middle (MITM) attacks normally sees hackers altering the communications between the game and the servers by secretly inserting themselves between the two parties. Individuals normally launch such attacks not to infiltrate a business, but to gain a competitive advantage in an online game.

"By intercepting this data," Whaley continues, "bad actors can modify many aspects of a game. This is often done to create unfair advantages such as manipulating the collision detection logic within shooter titles to avoid or guarantee hits. MITM attacks can also allow cheaters to alter the transparency of model assets to allow themselves to see through and even travel through walls."

"If hackers gain access to [players'] credit card data, names and addresses... hackers could not only hold the developer to ransom but also each account holder"

Bobby Cornwell, SonicWell

Freeths' Richmond-Coggan adds that attacks may also take place when a company is migrating to new servers. "Maybe they've outgrown their existing data centre and they need to move to something more robust," he suggests. "During the migration, often the data was very vulnerable, and a lot of times it gets compromised."

Ransomware attacks

The industry is certainly at risk of ransomware, but cyber criminals don't normally launch these to target game companies specifically.

"There are definitely those who will write software, and then set it loose on the world, and they don't really care where it ends up," says Richmond-Coggan. "A lot of ransomware attacks, for example, fall into that category."

Cappos adds everyone bears some amount of risk, but it's "probably not a substantial risk." "You're doing your development, you're using version control systems, you're backing things up," he says. "Anytime you really have multiple people doing development, you usually have sufficient backups to your infrastructure that you're probably going to be fine."

What are the consequences of a cyber attack?

No matter the size of the company, cyber attacks will "always hurt a business' bottom line", says Whaley. This is something of a census among our experts. Not only might businesses lose revenue, but they may also fall foul of regulations if they don't, for example, report cyber attacks in time, facing huge fines.

"If a company fails to provide a secure experience for their players this will erode trust, undermine in-game economies, and decrease sales," Whaley adds. "Die-hard fans are often the drivers of a game's success; yet due to their abundance of in-game assets such as gear or money which can be stolen, these are the most targeted accounts.

"Word quickly spreads through in-game communities if a developer cannot protect their most valuable and loyal customers. As you'd expect, this has serious ramifications for the health and longevity of a game."

While the impact of an attack on Ubisoft, for example, when The Division experienced a player exodus due to "rampant hacking", may seem huge, usually the impact isn't significant enough for these businesses to go under.

"The consequences of even the smallest attacks for smaller to medium companies can be dire," Whaley says. "Smaller studios often only have the budget to release one game at a time, the revenues from which will fund the development of their next game. In this scenario, a well-orchestrated cyber attack could cause a small indie studio to go bankrupt."

What should you do if you suffer a cyber attack?

If you company is ever targeted by a cyber attack, there are a number of things you should do to minimise the impact.

Richmond-Coggan operates, in part, as an advisor for companies grappling with data or privacy-intensive technologies, including games companies. He regularly works with clients who have experienced data breaches in an advisory capacity and offers the following guidance based on his first-hand experience.

"Immediately, what tends to happen, is whatever they thought was their main business priority goes out of the window, and everything is focused on just survival," he tells GamesIndustry.biz. "It's no exaggeration to say these attacks can pose a total existential threat to the business under attack."

Quite often, attacks are timed to coincide with the point just before studios are supposed to be delivering the final version of their game. If it's ransomware, all digital assets – everything they've been working on – will be locked out.

In the event of ransomware, all digital assets – everything the business has been working on – will be locked out, and the studios will lose all kinds of things they're in the middle of developing – unless they pay whatever the ransom demand is.

"The temptation is to pay so you don't miss your deadline," he continues, "so you don't lose your market."

This, he notes, may often happen in the run-up to Christmas; even a few weeks spent recovering your systems means missing the prime sales window, "which can have a powerful impact on the business."

Even if businesses can recover a backup, and they're able to wipe down their servers and restore them – or even pay the ransom – the disruption may still linger. "Firstly, you don't really know how long that piece of software that was used to trigger the attack, or used to gain access to your system," he explains.

"You don't know how long it's been sitting there dormant. You have to do a really thorough deep clean to make sure any lasting trace of any sort of malware, or credentials that have been set up as part of the attack are all purged. That can be quite time-consuming."

"Unlike companies in industries that are further along in adopting cloud technologies, games companies are recruiting aggressively to recruit the talent needed to manage large and complex cloud systems"

Danwei Tran Luciani, Detectify

If it's a serious attack that impacts personal data, businesses must notify both the regulator, depending on where they're based, and the individuals. Generally you have to do that quickly because, depending on the time of year (Christmas, for example), it may intensify any sour reactions. That also feeds into bad publicity – but it's more than that.

"It's about whether or not those people will ever trust you with that information again, and often, increasingly, people are starting to vote with their feet with these things."

Then, you've got the longer-term costs of remediation, Richmond-Coggan continues. "If you've got a regulator taking an interest, they're probably going to be looking at your systems and saying, 'Well, that's really not up to standard – you're gonna have to make an investment into more sophisticated safeguards if you want to be able to keep operating.' They might have to compensate people who were affected adversely because their credit card information has been stolen."

What measures should the industry take immediately?

There are a variety of key steps our experts recommend the industry takes to protect itself and its customers from cyber attacks. These include the following practical measures.

Instigate a cyber security culture shift
Games companies should see security as an enabler, rather than a blocker, and implement a layered approach that incorporates an element of cyber security into the breadth of development. Organisations must also plan to implement security in such a way that it doesn't slow down the launch of updates, particularly in live service games.

Educate the workforce
Ensure that employees are aware of all threats and the types of threat that might occur, says Cornwell. This will help them be more vigilant.

Nail the information security hygiene basics
It's often forgotten, but companies need to ensure they have managed to handle simple processes well, says Richmond-Coggan. "If, say, a company has a repository of all their users, they may want to ensure it's accessible by everyone across different platforms, so they prioritise making it convenient over actually writing some robust protections."

Create specialised security units to oversee game development
Whaley recommends that studios establish a team that oversees every major feature of a game while it's in development. As talented as game developers are, he says, are rarely experts in cyber security. A well-thought-out game architecture, on the other hand, is enough to avoid most cyber security problems.

Follow industry guidelines around PCI-DSS
These guidelines safeguard and optimise cardholder data for businesses that store them. Any connections to outside platforms or consoles should have strict security in mind, and data logs should be monitored to ensure there's no abnormal behaviour that could be early breach indicators.

Remember to protect users and IP equally
Whaley notes with the shift to mobile-first gaming, reliance on paid extras as a main income stream has led companies to prioritise transactional integrity at the expense of protecting their IP. Both, he says, are critical and a balance needs to be struck.

Don't oversell yourself in the press
With the public and other industry stakeholders seeing privacy and security as more and more important, many in the industry may be keen to "blow their own trumpet" about it, adds Richmond-Coggan. "But if they haven't actually put in place the protections when they start talking about it, then all they're really doing is disclosing vulnerabilities."

Continuous monitoring
With companies constantly scaling servers, and changing their infrastructure, monitoring the attack surface is essential to guaranteeing performance. When continuously testing production environments, they should identify and prioritise fixing vulnerabilities as and when they're found.

"It's no exaggeration to say these attacks can pose a total existential threat to the business under attack"

Will Richmond-Coggin, Freeths

Anti-cheating by design
Many studios can mitigate cyber attacks if they factor anti-cheating mechanisms into the early stages of development. A game's defenses are only considered once it's half-built, which is already too late, Whaley stresses. By this point, there could be preventable vulnerabilities embedded in a game.

In-house cyber security testing
Enterprises, in particular, like AAA studios, must have a security team, and they should be doing regular testing as part of QA, says Cappos. Not doing so would be negligent. As for what should be tested, anything related to payment, RCE, or anything that could harm a machine or cost money. Cappos also recommends that businesses should, ideally, bring cyber security operations in-house as opposed to outsourcing it to a cyber security vendor.

Perform more fuzzing
Cappos also wants to see more fuzzing – automated testing that injects corrupted or invalid inputs into a system in order to reveal defects and flaws. Given the prevalence of post-launch bugs in many titles, he feels the industry could perform fuzzing more regularly. This needs to be more consistently applied and anything you put on a network, he says, needs to be fuzzed.

Guarantee real-time backups
Backing up data in real-time, with the ability to access that data and scrub it – if malicious software is dropped and backed up – is critical.

Adopt data minimisation by design
Companies need to start getting better at thinking about how much information they really need to store, says Richmond-Coggan. Every record a business keeps is potentially a target – so make an assessment on every piece of data you may otherwise ask users for.

Take care when handling payment information
Cappos stresses the need for organizations to take their responsibilities when asking for payment details seriously – and to avoid doing it if they lack the resources or staffing to stay on top of things. "If you've got anything that accepts payments or there's any transfer of money, you 100% need to take the same level of care and practice that any other organisation and group would do for that," he says. "That is without a doubt – 100%."

Outsource payments – unless you're a massive enterprise
The exception to Cappos' outsourcing principle is when it comes to anything that has a touchpoint with customers' financial data. Big publishes like Paradox, or EA, may have robust systems in place to handle this in such a way that Steam and Apple do, but, otherwise, it pays to let an industry giant handle that side of the business through their platforms.

Push regular security patches for all titles, not just the newest ones
Many titles get security patches, but don't neglect titles that may be five, or even ten, years old, says Cappos. These titles may still have a substantial user base, and companies still have a duty of care over customers. They should be looking for vulnerabilities in software libraries they may have used, and routinely push updates if, say, an issue arose.

More GamesIndustry.biz Academy guides on cybersecurity

• Blocking ransomware, hackers and more: What you need to know about security for games
• How to handle a data hack

Sign up for the GI Daily here to get the biggest news straight to your inbox