With the emergence of new technology and interconnectedness, organizations have become increasingly susceptible to cyberattacks and internet penetration. In a recent incident, Roblox, a leading gaming platform, was breached through a complex phishing and social engineering attack. As a result, an archive of internal documents was stolen and used for extortion.
According to Roblox, the publication of documents is part of an extortion effort against the organization. Findings indicate the hacker successfully released confidential documents containing sensitive information about the platform’s most popular games and creators. In some cases, documents included individuals’ personal identifiable information.
Roblox is a leading gaming competitor, bolstering $68 billion in market value. However, it still managed to remain defenseless against hacker exfiltration. This incident serves as a reminder that any organization is susceptible to data breaches, regardless of its stature, size, or number of preventable measures in place.
With the ecosystem of hackers and cybercriminals continuing to evolve, companies must remain proactive in mitigating the potential risk of cyberattacks. Through education, visibility, and data security metric integration, organizations can become vigilant in preventing future breaches.
In response to this incident, several tech leaders have gathered to discuss how organizations can protect against future cyberattacks.
Paul Farrington, chief product officer, Glasswall
“This latest incident reminds organisations that without a proper understanding of online privacy risks, they can be left defenceless against hackers. Interestingly, according to the Verizon 2022 Data Breach Investigations Report, phishing attacks were behind 20% of data breaches.
The solution to fending off cyberattacks like this at both an individual and company level is twofold: training and technology. Training will arm employees to be alert to risks and follow best practices. This can be as simple as using strong passwords and multi-factor authentication, not opening links and/or attachments from unfamiliar sources, and using anti-virus software. In the case of Roblox, adversaries successfully used social engineering and phishing to access internal systems and leak documents for extortion leverage.
On the technology side, taking a proactive, zero trust (never trust/always verify) approach when it comes to security can not only protect the companies that implement them but their customers as well. Having these measures in place will not only assist with preventing attacks, but it’s also more cost effective and efficient than using employees as an organisation’s first line of defence. By combining training and technology, individual, company, and client data privacy is significantly more achievable for organisations around the globe.”
Neil Jones, director of cybersecurity evangelism, Egnyte
“The alleged cyberattack on gaming platform Roblox reminds us that organizations’ IT security programs are only as strong as their weakest links. Here, we see how advanced social engineering and spear-phishing tactics can lead to exfiltration of sensitive documents and ultimately impact a brand’s reputation. Such focused tactics are much more likely to generate exfiltration payments to cyberattackers because organizational insiders logically have easier access to sensitive data than outsiders do. In addition to general cybersecurity awareness training, anti-phishing education and restricting access to company data based on a user’s “Business Need to Know” are powerful deterrents. Finally, this incident reminds us that cyberattackers are increasingly making claims of attacks—even before all of the details have emerged publicly—to proactively generate payouts from organizations. You need to have a plan in place for that inevitability.”
Amit Shaked, CEO, Laminar
“Visibility into where companies’ data resides – and where it goes – is critical, both on internal networks and in the cloud. In today’s multi-vendor, multi-cloud world, this has become more challenging than ever before. Perimeter defenses will fail at some point – as demonstrated by this Roblox social engineering attack that led to internal document leaks and extortion.
Business leaders must assume adversaries will one day break through. To combat this, data security solutions need to be completely integrated with the cloud in order to identify potential risks and understand their data’s journey. Using the dual approach of visibility and protection, data security teams can know for certain which data stores are valuable targets and ensure proper controls, which allows for quicker discovery of any data leakage.”
Jeannie Warner, director of product marketing, Exabeam
“Many network attack vectors start with a link to a phishing URL. A carefully crafted email containing the malicious link is sent to an unsuspecting employee. As soon as it’s clicked, malware is loaded and the cycle of information loss and damage begins. Any company that houses sensitive data should aim to nip this problem early on by identifying and alerting these malicious links.
There are many public and commercial data providers that offer block- or allow-listing services, or databases for potential phishing domain/URL lookup. However, like any signature-based approach, newly-crafted phishing domains and URLs cannot always be identified this way. New machine learning approaches can flag a suspicious phishing URL previously unknown to malicious list data providers and should be considered by frequently targeted industries, like gaming. Gaming platforms should also have security information and event management (SIEM) with user and entity behavior analytics (UEBA) solutions in place on their networks to ingest all alerts and events, create baseline activity to detect anomalous behavior, and prioritize incident response to help.”
Arti Raman (She/Her), CEO & Founder, Titaniam
“In this recent extortion attack on Roblox, traditional phishing tactics were used to access company systems and leak internal documents. While cybersecurity training for employees and perimeter defenses can help prevent successful social engineering attacks, to truly minimize the risk of potential extortion and minimize the theft of sensitive documents, a data security platform, specifically data-in-use encryption, also referred to as encryption-in-use, is recommended.
“In the last eighteen months, companies have been misled into believing that investing in backup and recovery solutions is the answer to their ransomware woes. Attack and extortion data are proving this to be false over 68% of the time. If companies want to stand up to data-related extortion then data-in-use encryption is the technology of choice for unmatched immunity. Should adversaries gain access to data, by any means, data-in-use encryption keeps the sensitive data encrypted and protected even when it is being actively utilized. This helps neutralize all possible data-related leverage and limits the need for breach disclosure.”