Weekly podcast: Epic Games, Ashley Madison and Jimmy Wales

This week we discuss the Epic Games data breach, Ashley Madison’s woeful security, and an exaggerated report about Jimmy Wales’s death.

Hello and welcome to the IT Governance podcast for Friday, 26th August. Here are this week’s stories.

Epic Games has suffered a data breach, in which more than 800,000 registered users’ information was stolen. According to ZDNet, criminal hackers “exploited a known SQL injection vulnerability [to acquire] usernames, scrambled passwords, email addresses, IP addresses, birthdates, join dates, their full history of posts and comments including private messages, and other user activity data”.

A statement from the company said: “We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. […] Also, we believe a compromise of our legacy forums covering Infinity Blade, UDK, previous Unreal Tournament games, and archived Gears of War forums revealed email addresses, salted hashed passwords and other data entered into the forums. If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password.”

The last time Epic Games’ forums were shut down by hackers was just over a year ago.

It’s also just over a year since ‘adult dating’ site Ashley Madison was hacked by the person or group going by the name of ‘The Impact Team’ and some 36 million users’ account details were dumped online.

Now, a joint report from the Canadian and Australian privacy commissioners has found that the company breached both countries’ privacy laws. The report states that “Although ALM [that’s Ashley Madison’s parent company, Avid Life Media, which has since rebranded itself Ruby Corp for some reason]… Although ALM had a range of personal information security protections in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security.”

It also says: “Organizations holding sensitive personal information or a significant amount of personal information, as was the case here, should have information security measures including, but not limited to:

  • a security policy(cies);
  • an explicit risk management process that addresses information security matters, drawing on adequate expertise; and
  • adequate privacy and security training for all staff.”

All of those recommendations are covered by the international standard for information security management, ISO 27001 – which is why we recommend it to our clients.

When Wikipedia founder Jimmy Wales’s Twitter account announced his death last weekend, shortly followed by the statement that “Wikipedia is all lies, OurMine is the true”, it was pretty obvious that the account had been hacked. In a blog post, hacking group OurMine claimed responsibility, taking the opportunity to advertise its services: “Today, our team hacked Jimmy Wales, Wikipedia founder,” it said. “You can also check or upgrade your accounts security by buying our services.” The next day, the offending tweets were deleted, and Wales tweeted “I’m (obviously) OK, and tweeting back to normal.” If you want to better secure your online accounts, remember never to reuse passwords, and to use two-factor authentication wherever possible.

Well, that’s it for this week. As ever, please feel free to comment below, telling us a bit about yourself and what you’d like more information on and we’ll do our best to answer in the coming weeks. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.