There are certain services we pay for, both in our personal lives and in business, for “just in case”. We rarely think about these services after we buy them, knowing we’ll call on them only in highly unlikely “what-if ?” scenarios. Car insurance and workers’ compensation coverage, for example, both serve as protectors against “what-if?”
Other important examples include data backup, disaster recovery and corporate endpoint security. Each can act as a 24/7 failsafe against losing your company’s mission-critical data.
And if your company — or any of your clients, if you’re a technology reseller — still haven’t deployed backup, DR and mobile device management solutions companywide, the recent news about Pokémon GO should provide a valuable reminder to make implementing those services a company priority.
If you haven’t heard, news broke recently that the company behind Pokémon GO, Niantic, were addressing a security vulnerability that left players’ Google cloud data at risk.
Here’s what happened.
To play Pokémon GO, users log in with their Google account information. (Niantic was formed as a Google startup, funded and incubated by Google before being spun off in 2015.) And although few noticed, iOS device users were apparently agreeing under the terms of the game to grant Niantic “full access” to all of their Google cloud data. Of course, users rarely read the T&C’s of these agreements in as much detail as the IT Security guy would like – if they read them at all.
That frightening notion meant a user signing in to Pokémon GO on an iPhone was in effect allowing Niantic — and any hackers able to penetrate the company’s network and servers — to view, download, alter or delete their Gmail messages, their Google Calendar, all of their files in Google Drive, even their Google browsing and map histories. Very unlikely this was anyone’s conscious intent.
More frightening still, as cyber security experts warned, in many cases Pokémon GO users play the game on company-issued mobile devices, or keep company data in their own Google clouds. This meant that in the event of a hack, all of this corporate data could be at risk — and all from employees innocently playing a game on their mobile devices.
Making matters worse, hackers actually did manage to penetrate Niantic’s systems. As PC Magazine recently reported, a group of hackers claimed responsibility for a breach that took the game’s servers down.
Good news for Pokémon GO players — but a reminder that data threats can come from anywhere, and to let the pros protect your clients and company.
Fortunately, it appears that neither of these nightmare scenarios materialized.
First, a subsequent review of the “full access” vulnerability — confirmed by independent security audits — determined that Pokémon GO players’ data was never truly at risk. Yes, the terms stated the company could access all of a user’s Google data, but this seems to have stemmed from an outdated version of Google’s sign-in system. Both Google and Niantic have stated they never intended to access any of this data, and Niantic itself has now fixed the issue with its game’s sign-on process.
The second bit of good news is that the hack of Niantic’s systems seems to have been more about hackers showing off than a malicious attack on the gaming company or its players.
As the PC Magazine article explains, a representative of the hacking collective (known as OurMine) actually stated that the group promised to stop its attack if Niantic’s management would speak with them, and promising that “we will teach them how to protect their servers.” Say this for hackers — they’re great with irony.
Pokémon GO episode also reminds us of the need to be vigilant — because even the major cloud players’ networks can be hacked.
It’s also worth noting that both of these missteps — the overstep in requiring users to grant “full access” to their personal cloud data, and a successful hack on the world’s most popular mobile game — happened to Google, not to mention its shining protégé, Niantic.
These companies represent some of the most sophisticated minds in the cloud technology business — and they let a gaping data vulnerability potentially expose their customers’ most sensitive information.
What this means for your company: time for cloud backup, disaster recovery and endpoint security.
The Pokémon GO incident can also serve as the catalyst to make cloud data backup and mobile device management top priorities for your company — or for your clients, if you’re a technology reseller.
We started this discussion focusing on “what-if” scenarios. So in light of this story Pokémon GO, here are a few “what-ifs” to consider:
What if Niantic hadn’t discovered and fixed the flaw in its sign-on process, and the system continued to be able to access and alter the Google data of every Pokémon GO player?
What if your employees were among the millions of users playing the game? And what they if were playing it on company-issued iPhones, or even just using their personal Google Drive accounts to collaborate on sensitive company documents with colleagues?
And what if those hackers weren’t simply trying to prove they could bring down Pokémon GO around the world? What if they were looking for corporate data to steal, or to commit a ransomware attack?
Would you have been prepared?
Contact us or one of our Partners to learn how we can protect your data — 24/7/365.
Resellers, join our Partner Program to help your clients better protect their data, systems and network infrastructure.
Because sometimes, “what-if” actually becomes "What now?!"
Channel Marketing, KeepItSafe
Download a free tech brief.
"NY Cyber Rules and Compliance:
How to become compliant – and prove it."