EA has come under fire from prominent cybersecurity experts for ignoring vulnerabilities in its systems prior to a massive data breach earlier this month. A cybersecurity firm has said that it approached EA warning of these flaws, but that nothing was done following that warning.
Why is EA being criticized over cybersecurity?
According to ZDNet, Israeli cybersecurity company Cyberpion approached EA in late 2020 to tell them about potential flaws that could be exploited by hackers. These flaws included multiple domains vulnerable to takeovers, misconfigured assets, and improperly maintained DNS records. Several EA domains were found to still be using the HTTP protocol, which is less secure than the more up-to-date HTTPS, while other domains had certificates that had long expired. These flaws left the domains wide open to takeovers from hackers, meaning they could then send correspondence to EA customers from official EA domains.
Ori Engelberg, the co-founder of Cyberpion, told ZDNet that after it brought these issues to EA's attention, EA replied to say they had received Cyberpion's report and would follow up if they had any more questions about the Israeli firm's findings. However, Engelberg said this never happened, despite Engelberg and Cyberpion repeatedly warning EA about more than 10 security vulnerabilities that could lead to big data breaches. Supposedly, Engelberg simulated a hack for EA back in December last year, but following this, EA did nothing to address the findings of that simulated hack, instead choosing to let the vulnerabilities remain in place.
Why did the EA data breach happen?
Engelberg says that attacks like this month's EA data breach happen because IT and security teams are often kept out of the loop. According to Engelberg, even assets "known to the security team" can be changed without the team's knowledge, and this can often happen because of partners outside of the main company. As Engelberg points out, many hackers can achieve their goals simply by "hacking a third, fourth, or fifth party" of which security teams and IT personnel often have no knowledge. K2 Cyber Security's Jayant Shukla says these breaches occur because studios don't keep DNS configurations updates and don't remove subdomains after their time is up. It is worth noting that EA is far from the only company to fall prey to an attack like this; in the last year alone, there have been breaches at Capcom, Ubisoft, CD Projekt Red, and more.
Following the breach - and ZDNet's reporting of Engelberg and Cyberpion's comments - the Israeli security firm reported that EA had fixed 7 of the issues it raised. For its own part, EA says Cyberpion did not inform them of all the vulnerabilities it had found, instead asking for an opportunity to "show off their techniques". EA also alleges that Cyberpion did not follow its product security vulnerability disclosure protocol, which contains specific instructions on how to inform EA about potential vulnerabilities in its cybersecurity. Hopefully, there won't be any more data breaches like this for EA. We'll keep you posted on this.
How do you feel about EA ignoring these cybersecurity issues? Let us know in the comments below!