Security Worries for Online Video Game Companies

Fortnite video game developer Epic Games Inc. isn't just dodging digital adversaries — now it's been slammed with a class action lawsuit over a data breach. Lawyers said that, while cyberattacks faced by the video industry aren't unique, hackers are incentivized to strike high-profile games and target their in-game assets.

A lawsuit filed in the U.S. District Court for the Eastern District of North Carolina is based on cybersecurity firm CheckPoint's January announcement that hackers breached Epic Games users' accounts and had access to their passwords, credit and debit card information, and other personally identifiable information.

In the class action suit, Epic Games is accused of failing to provide timely notice of the data breach, not exercising "due care" in the collection, storage and safeguarding of users' information and other accusations. Heidbreder v. Epic Games Inc., 5:2019cv00348.

Colorado law firm Franklin D. Azar & Associates seeks more than $5 million in damages and said there are over 100 class members. Epic Games did not respond to a request for comment when this article was written.

According to CheckPoint, hackers exploited vulnerabilities in Epic Games and sent a phishing link to Fortnite players. Once the link was clicked, the attackers were able to access users' PII and make unauthorized purchases of "v-bucks," Fortnite's virtual currency.

Phishing is a common cyberattack that targets many industries, and such attacks in online video games isn't surprising, lawyers said.

"If we are seeing cybersecurity issues in all industries, from retail to places that you don't think of as focused on the electronic sphere, then it's no surprise it's more concentrated in a new and strongly technology-based industry," said Carlton Fields law associate Nicholas A. Brown.

Indeed, while hackers target data held by any industry, they may be incentivized by some video gamers' lax cybersecurity stance.

"I don't think there's anything absolutely unique to the video game industry, but the nature of the industry and, more importantly, the users and communities they work in makes them very susceptible," said Robert Braun, a Jeffer Mangels Butler & Mitchell partner. "It's a community, and there's a sense that people are comfortable in their community and let down their guard."

Braun said that ease can lead to users reusing passwords across different platforms and malicious code appearing in updated or pirated games. Plus, hackers are motivated to acquire in-game purchases for popular videos. "There are a few things that are common to the gaming industry that makes them a target, and there's a lot of money out there," he said.

Indeed, Fortnite players are also earning and spending big bucks. For instance, a Pennsylvania teenager recently won $3 million in a Fortnite world championship. Meanwhile, some platforms sell 1,000 v-bucks for roughly $10, while Fortnite "skins" (character outfits) can range from 800 to 1,500 v-bucks.

While video game companies and game streaming platforms like Amazon's Twitch or Microsoft's Mixer may pocket significant cash from digital assets bought through their platforms, lawyers warn that they could fall under the Children's Online Privacy Protection Act's (COPPA) scope and face significant penalties for noncompliance.

"I think those platforms, knowing COPPA could apply to them, they only allow certain users to have an account to process and collect their information without having COPPA apply to them," said Carlton Fields associate Steven Blickensderfer. He added: "What you'll find is these organizations are screening and have users that are above a certain age."

Blickensderfer also noted there could be significant penalties if the Federal Trade Commission finds a company isn't COPPA-compliant.

Indeed, earlier this year short-form video platform TikTok agreed to a record $5.7 million settlement for COPPA violations, while Google's YouTube is reportedly being investigated over child privacy claims.

Braun said COPPA's scope also could extend to video game streaming platforms.

"When you have a site like Twitch that is very attractive to young people and someone under 13, I wouldn't see why it wouldn't be covered by COPPA," he said. He noted such platforms aren't immediately liable, but the Federal Trade Commission (FTC) has published steps outlining how to deal with children's information.

While the FTC offers guidance regarding child data privacy, Braun asserted that the online video-game industry's biggest hurdle is balancing cybersecurity and access.

"They have a challenge: It's providing a service that is very open and intended to be open and multiuser," he said. "It makes implementing security a challenge, because the more open a system is the easier it is to gain access."

*****

Victoria Hudgins is a reporter for Legaltech News, an ALM sibling of Entertainment Law & Finance, where she covers national and international legal tech innovations and developments. She can be reached at [email protected].