EA Sports Breach – What You Need to Know
On Thursday, June 10th 2021, video game giants Electronic Arts announced that they were the victims of a targeted hack that saw numerous files get stolen, including the source code for EA Sports FIFA 21 and various internal company tools. The hackers were an unknown group who announced their heist on an underground hacking platform where they explicitly stated that 780 GB of EA Sports data was in their hands.
Electronic Arts are known for publishing a host of high-level games, including Battlefield, FIFA, The Sims, Star Wars and many others, especially annual sports games. The source codes stolen mainly were from the sports division of the company.
What Is a Source Code, and Why Is It so Valuable?
A source code is a readable version of computer software from which the software runs. Usually, it is more understandable than the end version of the software, which is usually in zeros and ones. It can be used to make alterations to software or program. The downloaded and stolen source codes were those used for FIFA 21, as well as the Frostbite engine, which powers dozens of games created by EA.
These can easily be used to create cheat codes or even hacks for the games, or reverse engineer the said games. The hackers behind the data heist quoted $28 million on the dark web as the selling price of the data, including the source codes for FIFA 21 and the Frostbite engine, as well as other developer tools obtained from the hack. They also gave their potential buyers a guarantee that the “full capability of exploiting” EA would be given to them.
The hackers did not upload any source code on their underground platforms, and also declined to reveal the tactics that got them into the EA’s servers when asked for the information. It was revealed that API keys to be used on FIFA 22, Xbox, Sony, Software Development Kits (SDKs), debug tools, and proprietary EA frameworks were also stolen along with the source codes for FIFA 21. According to Vice, screenshots from the online forum were taken by an inside source and used as information.
Implications of This Hack to EA
EA has since tried to downplay the seriousness of the theft, announcing that only a limited amount of game source codes and other tools were stolen. They also went on to assure their customers that no player data was tampered with or touched, and so, the privacy of the players was not breached. In a statement by the EA, the hack reportedly came after a network intrusion, and the hack was not a ransomware attack.
They stated that law enforcement agents and other security experts had been notified of the situation at hand, and are actively investigating what they see as a criminal offence. Earlier this year, CD Projekt Red was a victim of similar data theft, with the source codes for many games including Cyberpunk 2077 and The Witcher 3 eventually being leaked online in June. In November last year, too, the maker of Resident Evil and Street fighter, Capcom was the victim of a ransomware attack that could have revealed private information of over 300,000 people.
It must be understood that EA has been exposed to a major hack, and while the company has attempted to downplay the gravity of the hack, security experts and major players in the security industry have weighed in on the hack. A security awareness advocate at KnowBe4, Erich Kron, was of the opinion that this episode only served to demonstrate the vulnerability of all organisations, including those that use sophisticated technology to data breaches. Kron was critical of the role played by human errors, as these attacks could be a result of carelessness on the part of the employees.
Gurucul CEO Saryu Nayyar implied that the hack could have damning consequences on the organisation, as the information stolen was highly sensitive to the company’s services. He likened it to taking the life of the organisation, stating that the attack could have pronounced effects down the line eventually. Kron advised that organisations should hold regular enlightenment programs for employees, and preventive measures are put in place to aid the security.
While a lot has been made of the futility of the hack and heist, it is important to understand that such a high-level security breach might have brought about dire consequences for the organisation, as was pointed out by the Gurucul CEO. The failure of EA to protect its data may have far-reaching effects on the organisation as there may eventually be a breach of player data, possibly causing problems for the organisation. EA stated emphatically that player data was not accessed this time and that security had immediately been upgraded to prevent a recurrence. The occurrence of such cyber-attacks must not be ignored any longer, especially with the increasing frequency. Firms must put robust measures in place to protect them from falling victim to hackers and cybercriminals.
Written by The Original PC Doctor on 12/07/2021.