In February 2023, Activision, the creators of “Call of Duty” disclosed that cyber attackers were able to trick an HR employee through a phishing attack. Following the attack, the employee shared sensitive employee data as well as valuable information about the game’s plans for the upcoming year. Employee information that was exfiltrated included names, email addresses, phone numbers, salaries, and work locations. Game information that was leaked included release dates, marketing plans, and even gameplay details.
Such a breach could have far-reaching consequences for Activision. First and foremost, the leaked information can be used by the competition to gain a marketing and product advantage over Activision. In addition, the leaked information could be used to disrupt the games themselves and affect the players.
But repercussions go beyond the immediate impact on the game and the gamers. The breach could create long-standing reputational damage to Activision’s ability to protect its players, employees and systems and create a negative perception of the robustness of its network. For the employees, their leaked personal information could be used for identity theft or social engineering.
How Automated Least Privilege Could Have Helped Prevent This Attack
The human factor is often involved in cyber security attacks since humans are wired to trust each other and share information. Attackers exploit these human nature characteristics through methods like phishing, as was the case here. Automated least privilege can help overcome this network vulnerability (not human vulnerability) by limiting the access users have to sensitive data.
The principle of least privilege minimizes the scope of resources users have access to. JIT (Just-in-Time) access is a subset of the principle of least privilege, minimizing the amount of time users can access these resources. With JIT access, employees gain access to resources only for the time they need to perform their jobs.
With JIT access, even if attackers are able to trick an employee, the employee will not be able to access valuable information. This guardrail prevents the employee from accessing the data and ensures it is not exfiltrated. By automating the process, the organization can ensure the employee does not have access when they do not need it, reducing the risk of a manual error which could result in long-standing permission and, consequently, a data breach.
In addition, automated least privilege provides centralized entitlement visibility, which provides IT and security teams with the ability to see who can access which resources. With this visibility, they can make informed decisions about granting and limiting access, which helps ensure employees only have access to the resources they need. In this case, perhaps an HR employee does not need longstanding access to game plans.