Argument #2: Blizzard is required by federal and state law to notify of data breaches.
This was a pretty common reply actually and I was a little bit surprised that people believed this. A quick investigation would have revealed the truth. But that's what this series is all about: awareness.
You see, data breach laws vary from state to state and some states don't even have legislation at the moment.
There's also no federal laws that regulate data breach notification. However, there are some that regulate the type of information that can be collected and levels of security recommended (really it's just helpful guidance). Since data breach laws in the US vary from state-to-state (if it has a law at all), each law may be drastically different in regards to what is classified as a breach, fines, reporting, what needs to be notified, who is notified, governing bodies, etc. As you can imagine some state laws are more flexible than others. And that's only if the data is physically located in the US.
Consider the number of corporations that outsource or offshore their operations overseas. Due to their location, they are under no obligation to report any data breaches that may occur. Here are some companies that outsource/offshore by the way: IBM, Microsoft, Oracle, Cisco, HP, Dell, Gateway, AT&T Wireless, Telus, Bell Canada, GE, and wait for it.. Blizzard.
Under current CA State Law, Blizzard would typically only need to notify the single person affected (no mass announcements) and that's only if they confirm without a doubt that the individual's information was indeed breached. HOWEVER, Blizzard is under no obligation or law that requires them to notify anyone.
The most important data breach component is the “trigger mechanism”. In California, the obligation to notify an individual of a security breach is triggered in the likelihood that the breach will result in a “serious harm” or involves a “serious risk”. The threshold of “serious harm” or “serious risk” is an external determination.
It is the internal organization itself, however, that determines what compromises a “serious harm” or “serious risk”. There is no external body that performs this function. Additionally, there is no requirement to report to an overseeing body nor is there sanction for failing to notify individuals of a security breach.
These risk assessments are determined internally, and there is no external body or even the requirement to report to said external body. A WoW Account being stolen would not be classified under "serious harm" or "serious risk" for the individual involved. Hence, Blizzard is exempt from data breach notifications. Even credit card theft would not be a trigger due to the low risk involved to the victim (unlike healthcare information.)Data breach notification laws were primarily focused on the health care industry, government and educational sectors. There are other private organizations that report breaches, but it all depends on the type of data they keep. If you're interested in data breach announcements, check out Google.com/News -> Search for "data breach".
Now, if something very bad were to happen, then yes - a large announcement would be made. The information would leak eventually so it's in the corporation's best interest as it would look very bad if they tried to hide the fact that some 200,000 accounts were breached. However, 50-200 account breaches per week is negligible and an official announcement is unnecessary and not required by law.
To summarize, under existing law Blizzard is under no obligation to alert the public, or even the individual themselves, in the event of an internal or external account breaches.
(Other Sources: Senate Bill 1386, Senate Bill 1166, Federal Information Security and Data Breach Notification Laws, Do Data Breach Disclosure Laws Reduce Identity Theft?)
Addendum:
These sources also provided some interesting information on the subject of data breaches (identity theft) and a comparison of keylogging/phishing versus internal theft.
Identity Theft Causes (Internal Employee vs. External Keyloggers/Phishing/etc) From 3 Different Research Groups
I received some really good feedback from the Reddit community from my post there. Here were the strongest arguments available and I'll go through each of them:
- There is no increase in hacking of WoW accounts. Here's your tinfoil hat.
- Blizzard is required by federal and state law to notify everyone of any such breach. Since there has been no notifications, no breaches have occurred.
- Blizzard's systems are foolproof, it's impossible to compromise their database. They have layers and layers of security.
- Blizzard does not employ fraud specialists or fraud managers: "I see a blog hosted on a free site with one post that seems to be trying to make some kind of conspiracy theory about Blizzard recently having a job listing up for a "fraud manager".
Argument #1: There is no increase in hacking.
I haven't been able to find any official and clear announcements that confirm that there is no increase in hacking incidents. (Not that there ever will be any official statements from Blizzard.)
However, there are a lot of users claiming that Blizzard has confirmed multiple times that there has been no increase. (See "Blizzard indoctrination".)
There are plenty of blue posts that redirect the issue however - e.g. "We take these matters seriously. Please check your own PC. etc. etc." All of the responses are in accordance with their internal company policy (ie, kept as ambiguous as possible so as not to confirm or deny anything.) For example, they're not saying for a fact your computer is infected with keyloggers, but you should check your security anyways. =]Just like any good business, Blizzard maintains internal records of ongoing investigations and issues. There are internal statistics that would show hacking/fraud trends, but this information will never be released by Blizzard - it's private and confidential. Why would they release this information and hurt their reputation and business?
Fortunately, there are other methods of obtaining data and trends. Consider this, what's the first thing an average user does when their account has been hacked?
They probably call Blizzard, post on their forums, but definitely do a Google search for available solutions.
Blizzard support lines are down due to severe load and WoW Forum posts do indicate an upwards trend (and questioning of this trend) of account hacking over the past few months.
But let's see what the pinnacle of human-behavior-tracking (Google) has to say:
WOW!!That's some spike in the number WoW accounts being hacked.. and coincidentally, all within the same timeframe as mentioned by users on the forums. Google Trends/Insight can provide a great wealth of information, and in this case, has shown significant growth (an explosion if you will) of compromised accounts within the past few months.
What could possibly account for this quantity of accounts being compromised simultaneously, when there has been increased education and security of user's PCs/accounts and yet no changes in account hacking trends?
To also show that the increase in hacked WoW accounts is not directly related to growth in subscription counts (ie, user base), here's a chart that shows total WoW subscriptions from 2004 to June 2010:
(Sources: IB Times, MMOGChart, WoW Trends)As you can see, WoW hacking incidents have increased while subscription levels have actually decreased or remained steady.
Does this not confirm that there is actually an upwards trend in hacking activities?
- Total number of players is decreasing.
- Increased education of users (security, scams, etc.)
- Increased security measures and new detection tools.
- Total number of hacking incidents is increasing.
Note the frequency of Blizzard's announcements regarding their customer base. They used to make an announcement quite regularly with each surge, but it's completely stopped for over a year now.
Although the authenticator is not flawless (man-in-middle attacks), I would recommend that everyone get one. An added layer of authentication is highly valuable, and significantly increases the security of your account.
* UPDATE:
I received a comment from Ty (****bluc@yahoo.com) who writes:
"My account was recently hacked for the first time, as well as a friend that had not played in months. When I called Blizz support, they did indicate that it may take some time to restore due to an increase in the volume of hacked accounts, recently."
So, there's another: Blizzard Support also states that there has been an increase in volume of hacked accounts.
* UPDATE:
In the original Reddit post, a user named "nattylife" even claimed that they worked for Blizzard and yet the individual has never heard of any security breaches within Blizzard. Really? There have been many breaches that have occurred in the past. These are just the ones that made it public and some news items Blizzard has issued C&D's for. And yet they've been completely oblivious to all of this? Does that mean that most Customer Support staff have no insight into Blizzard's internal security issues? It seems so, and I have also confirmed this from other sources.
Keep in mind, too, that a LOT of Blizzard's customer support is outsourced to call centers where information of his nature is unavailable.
Some of the feedback I received on Reddit (as you can see yourself) was a little disappointing. Unfortunately, this is a VERY COMMON issue on Reddit, where most users simply read the subject line and the first paragraph, and then say "WRONG!" without ever providing supporting evidence or research.
Over the past several weeks, there has been an exponential explosion of WoW Account Hacking. Thousands of accounts that haven't been active for years are suddenly being logged into, with Unauthorized Authenticators attached to their accounts, while items and characters are being stripped down to gold and deleted. Even live accounts are being stolen from users who have ample security measures in place or are even IT/Security specialists themselves.
Blizzard's phone support has not been available for weeks at a time ("Sorry, call back later.") as well.
There are outcries from victims on WoW Forums, but I found it strange that in almost all cases the victim was being blamed for the issue occurring. All of the haters (whose accounts were perfectly fine mind you) were blaming the victim for not securing their PCs or not protecting their account properly.
Yes, this does happen.. but there other ways accounts (just like credit cards) can be compromised that have nothing to do with the victim, their surfing habits, or their PC. What was strange about this specific case is that there were a lot of unanswered questions about this particular "explosion" of account thefts.. why was it happening to really old accounts without authenticators? Why such a large amount in such a short time?
But then I noticed something strange happening. Forum posts that were asking too many questions or ones where the user had absolute confidence in the security of their system were suddenly being deleted or locked. Specific posts were being targeted and deleted (e.g. victim confirms no keyloggers or phishing attempts, or they blame Blizzard for the issue), while the posts where the victim was being blamed for the issue were being left behind.
My suspicion was confirmed when someone posted a link on the WoW forums to one of my old lurking grounds: Blizzard is having major problems right now: Account Database has been breached, thousands of accounts impacted so far.
Funny.. I remember Reddit for having intelligent and playful conversation, but overall grounded in common sense. Something had changed though since I was last there and many comments were simply divorced from reality. They regurgitated the same old crap that I saw on the WoW Forums - "It's your own fault for not securing your PC." It's as if sanity was thrown out the window and they were brainwashed.
But it actually made perfect sense! And here's why:
Corporations are all the same (you'll know this if you've ever worked in one.) Blizzard is a corporation just like all of the others, they have internal squabbles, power plays, brown nosing, office politics, HR issues, sexual harassment, fraud/theft, etc. Every corporation goes through this, the bigger they are the more issues they have.
Note: Check out Glassdoor.com & Jobvent.com Blizzard Entertainment reviews if you want to hear from the employees themselves.
And what you probably already (should) know is that Blizzard works very hard and spends millions of dollars to control company perception. They're religious zealots when it comes to reputation management and they are so successful, in fact, that most gamers live under the impression that Blizzard is a mystical entity that's completely immune from problems. Not many companies can pull this off.
What people forget is that Blizzard employs (just like everyone else) Human Resources personnel, security, IT Security, and Fraud Specialists whose specific duties are to monitor and investigate internal employees for credit card theft and user account fraud (ie, unauthorized access to users' account details).
Understand that it can be quite difficult (almost impossible) for email/phone Customer Support, CS Forum Representatives, and GMs to access information. However, it can be quite easy (depending on skill level) for IT Support Staff, Database Administrators, Finance/Billing to access billing and gaming account information if they were so inclined.
You can learn a lot about a company by the careers/jobs that they offer! =]
Now, Blizzard's official policy has always been to just say "Check your home PC for security holes, that's where the problem is." But this script always reminds me of calling Technical Support and is a good demonstration of what separates user reactions in response to Blizzard versus other service providers.
For example, if you were to call Gateway/Dell/HP about computer hardware issues they'll ask if you changed any settings or installed new software, and ultimately try to blame the issue on you or forward you to another manufacturer. You don't buy it though, you know who is truly responsible and realize that they're just feeding you a line.
However, Blizzard indoctrination is so incredibly successful that when Blizzard Support tells you your account was hacked because of you, you completely believe them, blame yourself, panic about the security measures protecting your PC ("MS Security Essentials must not be enough!") and ultimately change all of your account passwords. Not only that, but you also get to suffer additional blame from the WoW forums and your online friends.
I actually admire Blizzard for this, they're doing a truly fantastic job! (I really mean this, their processes are as polished as their games.)
It's well known that Blizzard's internal organization and structure is kept hidden from the public eye, and corporate perception is controlled in news postings, employee policy, and heavily moderated forum posts. But, it's as if no one knows that Blizzard employs FRAUD SPECIALISTS for the specific task of investigating their own employees who steal credit card information and steal/sell accounts (which can be done in large quantities too.) That should be a big hint right there!
So let's review:
- Blizzard employees Fraud Specialists whose responsibilities include monitoring internal staff for account and credit card theft.
- Thousands of accounts have suddenly been hacked with Unauthorized Authenticator's attached.
- Many of the accounts hacked haven't been active in months/years. Users confirm that their computers are perfectly secured. In some cases, the users were security or IT specialists - well aware of the associated dangers and how to protect themselves.
- Forum posts are being deleted that denounce Blizzard, forum posts are being "promoted" that blame the user.
- Blizzard's response to all hacking incidents is for the victim to check and secure their PC.
Now, I'm not saying that all of these account hacking incidents were as a result of internal theft, but atleast be OPEN to the possibility that it's not always the users fault. (I know I keep re-emphasizing this... but they employ freaking FRAUD SPECIALISTS who investigate their own employees! It was on their career board!)
That's all I'm saying. They're employed for a reason.
It's typically a very small number of employees who engage in these types of activities and there are several methods to gain access to user accounts or credit card information.
Internally, it would be very easy to gain access to a large quantity of accounts depending on their skill level. I'd love to see their HR records and statistics regarding internal investigations, theft/fraud, etc. but like all other businesses, this type of information will never see the light of day. It happens in all businesses and as the economy falters, employee theft will be on the rise. I suspect that internal investigations can be rather challenging as well and difficult to prove.
Note: The reason I'm saying that it "WAS" on their career board was because shortly after my Reddit post talking about the Fraud Specialist positions at Blizzard, the job postings were suddenly removed from several job boards across the interwebs and even from the Blizzard Careers page itself. Coincidence? Maybe. But if you're interested, check out the Google cached pages for "Fraud Manager" or "Fraud Specialist".
Blizzard's new "Real ID" system has also now been announced. This will be a really good distraction from the ongoing account hacking issues that are currently taking place. That's probably an actual coincidence though, as it's been planned for a while. =]