Earlier this week, the maker behind Magic: The Gathering suffered a massive data breach that exposed the data of over 452,000 players, as reported by TechCrunch. The game’s maker, Wizards of the Coast, confirmed the breach affected players of MTG Arena and Magic Online.
Magic: The Gathering, also known as Magic cards or Magic was the first trading card game that came about in 1993, released by Wizards of the Coast, which is now a subsidiary of Hasbro. There were over 20-billion Magic cards in the market as of 2016.
The company sent out an email to users alerting them to a security breach that allegedly occurred on November 14, after a “decommissioned” internal database was accidentally exposed. The database file, according to the Washington-based game maker, was “from a decommissioned website that had inadvertently been made accessible outside the company.”
“We removed the database file from our server and commenced an investigation to determine the scope of the incident,” Bruce Dugan, a spokesperson for the game developer told Tech Crunch.
Pursuant to Europe’s GDPR privacy law, the company is required to notify data protection authorities about the exposure. The EU’s General Data Protection Regulation (GDPR) went into effect back in May 2018. It requires data “controllers” and “processors” that collect, use, or process the personal data of these data subjects to disclose how the information they collect is processed and used.
Under the regulation, the EU authorities are able to impose fines of up to four percent (4%) of companies’ global annual revenue.
Dugan went on to explain that they took an extra cautionary step and notified the players whose information was contained in the database, and required them to reset their passwords on the company’s current system.
“We believe this was an isolated incident related to a legacy database and is unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data,” Wizards of the Coast said in the email.”
The database file contained the first and last name, email address, and passwords of 452,634 players of MTG Arena and Magic Online, plus an additional 470 email addresses linked to the game developer’s employees.
While the passwords were cryptographically secured, the database file itself was not encrypted, which is puzzling and extremely troubling. According to TechCrunch’s investigation, the user accounts dates back to as early as 2012, while some of the more recent accounts dated back to last year.
My question is why any such file could be left unprotected, regardless of whether it was on a decommissioned system, because clearly, it was still “readily accessible” to someone to be “accidentally” released—if that was the actual story.
While TechCrunch attempted to reach out to Wizards of the Coast, with no success, it did have luck speaking with Harriet Lester, director of research and development at the U.K. cybersecurity firm Fidus Information Security.
“Our research team work continuously, looking for misconfigurations such as this to alert companies as soon as possible to avoid the data falling into the wrong hands. It’s our small way of helping make the internet a safer place,” she told TechCrunch.
But my concern seems to resonate with Lester’s concern about the nature surrounding the breach—why wasn’t the data encrypted, especially with respect to the size and sensitivity of the information contained therein?
“It’s surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts,” Lester told TechCrunch.
And rightfully so. Digital hygiene is imperative today and should be nothing short of corporate common sense. What we are seeing from just the past three-years alone is the reckless disregard for the nature and security of customer and user information.
Fidus’ director of research and development, Harriet Lester, told TechCrunch that it was “surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.”