Posted on

Animal Jam was hacked, and data stolen. Here’s what parents need to know

WildWorks, the gaming company that makes the popular kids game Animal Jam, has confirmed a data breach.

Animal Jam is one of the most popular games for kids, ranking in the top five games in the 9-11 age category in Apple’s App Store in the U.S., according to data provided by App Annie. But while no data breach is ever good news, WildWorks has been more forthcoming about the incident than most companies would be, making it easier for parents to protect both their information and their kids’ data.

Here’s what we know.

WildWorks said in a detailed statement that a hacker stole 46 million Animal Jam records in early October but that it only learned of the breach in November.

The company said someone broke into one of its systems that the company uses for employees to communicate with each other, and accessed a secret key that allowed the hacker to break into the company’s user database. The bad news is that the stolen data is known to be circulating on at least one cybercrime forum, WildWorks said, meaning that malicious hackers may use (or be using) the stolen information.

The stolen data dates back to over the past 10 years, the company said, so former users may still be affected.

Much of the stolen data wasn’t highly sensitive, but the company warned that 32 million of those stolen records had the player’s username, 23.9 million records had the player’s gender, 14.8 million records contained the player’s birth year, and 5.7 million records had the player’s full date of birth.

But, the company did say that the hacker also took 7 million parent email addresses used to manage their kids’ accounts. It also said that 12,653 parent accounts had a parent’s full name and billing address, and 16,131 parent accounts had a parent’s name but no billing address.

Besides the billing address, the company said no other billing data — such as financial information — was stolen.

WildWorks also said that the hacker also stole player’s passwords, prompting the company to reset every player’s password. (If you can’t log in, that’s probably why. Check your email for a link to reset your password.) WildWorks didn’t say how it scrambled passwords, which leaves open the possibility that they could be unscrambled and potentially used to break into other accounts that have the same password as used on Animal Jam. That’s why it’s so important to use unique passwords for each site or service you use, and use a password manager to store your passwords safely.

The company said it was sharing information about the breach with the FBI and other law enforcement agencies.

So what can parents do?

  • Thankfully the data associated with kids accounts is limited. But parents, if you have used your Animal Jam password on any other website, make sure you change those passwords to strong and unique passwords so that nobody can break into those other accounts.
  • Keep an eye out for scams related to the breach. Malicious hackers like to jump on recent news and events to try to trick victims into turning over more information or money in response to a breach.

Read More

Posted on

Twitter could face its first GDPR penalty within days

European data protection regulators have inched toward an enforcement decision for a Twitter breach that the company publicly disclosed in 2019, after a majority of EU data supervisors agreed to back a draft settlement submitted earlier by Ireland’s Data Protection Commission (DPC).

Twitter disclosed the bug in its ‘Protect your tweets’ feature at the start of last year — saying at the time that some Android users who’d applied its setting to make their tweets non-public may have had their data exposed to the public Internet since as far back as 2014.

A new data protection regime, meanwhile, came into force in the European Union in May 2018 — meaning the 2014-2019 breach falls under the EU’s General Data Protection Regulation (GDPR).

Ireland’s DPC is the lead supervisor authority in the Twitter case but the cross-border nature of its business means all EU data protection agencies have an interest and the ability to make “relevant and reasoned” objections to the draft. Objections to the DPC’s draft decision were duly raised over the summer — triggering a dispute resolution process for cross-border cases set out in the GDPR.

The European Data Protection Board (EDPB), a body which helps coordinate pan-EU regulatory activity, said today it has adopted its first Article 65 decision — referring to the mechanism for settling disagreement between the EU’s patchwork of data supervisors. This means that at least a two-thirds majority of the EU DPAs have backed the settlement.

“On 9 November 2020, the EDPB adopted its binding decision and will shortly notify it formally to the Irish SA,” it wrote in a statement.

Ireland’s deputy commissioner, Graham Doyle, confirmed the EDPB has informed it of an Article 65 decision — but declined to comment further at this stage.

Ireland’s DPC now has up to a month to issue a final decision.

“The Irish SA [supervisory authority] shall adopt its final decision on the basis of the EDPB decision, which will be addressed to the controller, without undue delay and at the latest one month after the EDPB has notified its decision,” the EDPB statement adds.

Details of any penalties Twitter may face — such as a fine — have not yet been confirmed. But the end of the process is now in sight.

GDPR places a legal obligation on data controllers to adequately protect personal data. Financial penalties for violations of the framework can scale up to 4% of a company’s annual global turnover. (Although, in the case of big tech, the largest GDPR fine to date remains a $57M fine slapped on Google by France’s CNIL.)

Unlike that Google case — which CNIL pursued ahead of Google moving its EU legal base to Ireland — the Twitter case is cross-border and will be the first such big tech GDPR case to be concluded once a final decision is out.

The EU’s flagship data protection regulation continues to face criticism over how long it’s taking for cases and complaints to be investigated and decisions issued — especially those related to big tech.

Last year the Irish regulator said its first cross-border GDPR decisions would be coming “early” in 2020. In the event its first one will arrive before the end of 2020 — but that’s a pace that’s unlikely to silence critics who argue EU regulators are not equipped for the complex, resource-intensive task of overseeing how big tech handles people’s data.

The Twitter breach case is also likely to be considerably less complex than some of the complaint-based GDPR investigations ongoing into big tech platforms — which include probes around the legal bases for Facebook to process user data and how Google’s ad exchange is using Internet users’ data. Yet the EDPB still allowed for a full extra month to the Article 65 process (instead of the default one month) because of what it described as “the complexity of the subject matter”. That hardly bodes well for more contentious cases.

Still, going through dispute resolution over cross-border cases may lead to greater consistency and help DPAs pick up enforcement pace over time.

The UK’s ICO looks like a bit of a cautionary tale in this regard — having recently taken the clippers to massive preliminary fines it announced in a couple of (non-big tech GDPR) data breach cases, meaning enforcement ended up being both later and less stinging than it had first appeared.

Despite critics’ claims that GDPR enforcement continues to be lacking in places where it should be hard-hitting, the question of how to effectively regulate big tech is one that EU lawmakers aren’t backing away from.

On the contrary, the Commission is set to lay out a legislative proposal next month to apply ex ante rules to dominant Internet platforms as part of a planned Digital Markets Act. Under the plans, so-called ‘gatekeepers’ will to be subject to a list of ‘dos and don’ts’ that’s slated to include controls on how they can share data. It could also could see a push to create a pan-EU regulator to oversee major platforms. 

Such an approach could help to reduce the oversight burden facing a handful of EU DPAs with an outsized number of big tech giants on their books, such as the Irish DPC. But, again, there’s likely to be a long wait ahead before any new EU platform rules are in a position to be effectively enforced. 

Read More

Posted on

Fragomen, a law firm used by Google, confirms data breach

Immigration law firm Fragomen, Del Rey, Bernsen & Loewy has confirmed a data breach involving the personal information of current and former Google employees.

The New York-based law firm provides companies with employment verification screening services to determine if employees are eligible and authorized to work in the United States.

Every company operating in the United States is required to maintain a Form I-9 file on every employee to ensure that they are legally allowed to work and not subject to more restrictive immigration rules. But Form I-9 files can contain a ton of sensitive information, including government documents like passports, ID cards and driver’s licenses, and other personally identifiable data, making them a target for hackers and identity thieves.

But the law firm said it discovered last month that an unauthorized third-party accessed a file containing personal information on a “limited number” of current and former Google employees.

In a notice with the California attorney general’s office, Fragomen did not say what kind of data was accessed or how many Google employees were affected. Companies with more than 500 California residents affected by a breach are required to submit a notice with the state’s attorney general’s office.

Michael McNamara, a spokesperson for Fragomen, declined to say how many Google employees were affected by the breach.

A spokesperson for Google did not respond to a request for comment.

Read More