A Playstation 5 controller on a table in front of a screen with a football game being played

EA refuses to pay ransom to hackers; data now leaked in full

One of the most significant data breach incidents of 2021 so far saw gaming giant Electronic Arts (EA) fall victim to a cyberattack in June.

Interestingly, while millions of people worldwide have accounts with EA to play various games, the attackers didn’t steal personal data. Instead, the hackers stole the source code to the FIFA 21 video game, the Frostbite engine, which powers FIFA and the Battlefield game series, and other development tools.

This attack came just a month after Titanfall 2, published by EA, suffered a Distributed Denial of Service (DDoS) attack from which it has only just fully recovered.

What happened following the EA hack?

EA quickly made clear it had no intention of paying a ransom for the stolen data to be returned. Shortly afterwards, the hackers behind the attack started to make code available on the dark web while trying to sell the entire cache of data for $28 million.

The cybercriminals behind the attack were reportedly hoping that making code available would pressure EA into caving in and paying the ransom. However, once it became clear this strategy wasn’t going to bear fruit, the hackers dumped everything – totalling 780GB of data – on a cybercrime forum.

Why didn’t EA pay the ransom?

First, we don’t know what EA’s internal policy is around paying cybercriminals. It may be that the company has a blanket policy not to engage with and pay cybercriminals at all.

Another possible reason is that the data stolen isn’t all that valuable, at least in a way that would concern EA.

For example, no reputable gaming development company will use the data to help create its own new releases. Furthermore, it is almost impossible that EA wouldn’t back up its data and code elsewhere. Finally, you would need a particular skill set to be able to do anything with the data. But even if you did build an impressive video game, you’d have plenty of questions to answer about how you came to own the tools to do so.

Most of the time, it is personal details that are of the most significant value to cybercriminals. As no personal data was stolen, and the data is apparently of little value to EA, there’s no value to those who stole it in keeping hold of it.

How did the attack occur?

This might be of more significant concern to EA.

The hackers have, somewhat uniquely, been open about how they gained access to the data.

First, the hackers purchased authentication cookies allowing them to access an internal EA channel on the Slack messaging app. Then, once they’d gained access, they posed as a logged-in employee and were able to trick EA’s IT team into granting them access to company systems.

Simple, straightforward, and 780GB of data stolen at the drop of a hat.

What have EA said about the attack?

An EA spokesperson told The Verge, which reported on the attack back in June, that no user data was compromised, that EA had improved security systems and protocols, and that there was not expected to be any impact on future EA game development or the business as a whole.

While EA didn’t go into detail about what was stolen, their spokesperson described it as “a limited amount of game source code and related tools.” EA also retained access to all its systems and capabilities, so this wasn’t a ransomware attack in the traditional sense.

Is my personal data held on EA games at risk?

Not as a result of this attack. On this occasion, the hackers were explicitly looking to acquire source code. While they got what they wanted, they failed to get any money out of EA and weren’t successful in selling any stolen code, hence it being dumped online.

If your personal details have ever been exposed due to a data breach, you may be entitled to compensation. Contact LawPlus today for a FREE, no-obligation assessment of your data breach claim.