This is the fourth article in a series addressing legal issues in the video game and technology sectors. This article looks at cybersecurity issues in both industries within England and Wales.

Background

Cybercrime is a growing threat to all businesses in the UK. The law which governs hacking in England and Wales is the Computer Misuse Act 1990. Since 1990, the development in technology has left the law, and any means for enforcement, completely outdated.

The National Crime Agency (NCA) contains the National Cybercrime Unit (NCCU), the body responsible for policing and enforcing cybercrime. However, at best they can be described as ineffective, and are completely out of their depth when it comes to taking on black-hat hackers, who are implementing increasingly sophisticated methods of attack. The NCCU has had some success, but only engage with the most serious/high-profile offenses. Small businesses are left to fend for themselves and are at the mercy of their cyber-insurance provider. The Information Commissioner’s Office (ICO) is responsible for upholding information rights, predominantly for private individuals.

Cyber breaches also enable other crimes, particularly fraud. This is increasingly common in the workplace. A recently reported case involved a cybercriminal using a live deepfake of the CFO of a company during a video call with an employee, who sent $25,000,000.00 directly to the fraudster’s bank account. Deepfake technology has also been used by cyber criminals to extort victims (this is colloquially referred to as ‘sextortion’). The UK has only recently enacted legislation to deal specifically with this crime in the Criminal Justice Bill, despite the technology being widely used and reported as early as 2018.

Gaming

Companies at all levels across the industry are at risk of cyber threats. On Christmas Day, 2014, a hacking group launched a distributed denial-of-service (“D-DOS”) attack against Xbox Live and the PlayStation Network (the online platforms of the respective consoles).

Currently, the most at risk companies are publishers and developers of mobile games. This is because mobile gaming attracts more ‘casual gamers’ who are also more willing to spend money on in-game purchases, via micro-transactions. The mobile games market has also seen the most growth in players as well as market capitalisation. With growth, there is an increased margin of error when developing, or implementing systems to meet demand. Due to the increased likelihood of errors in coding, mobile game companies are more likely to have unforeseen vulnerabilities.

Ultimately, the users are at the most risk. Their identities may be stolen, and credit card information is at risk of being leaked. Some credit card providers instantly, and intuitively, cancel any card which has a standing order with a company that suffers a cyberattack. For example, American Express cancelled the cards of users who used their card details for their annual Xbox Live subscription as a result of the 2014 Christmas Day D-DOS attack.

Users may also have their in-game items stolen. Massive multiplayer online role-playing games (“MMORPGs”) can have exceptionally rare items available to enhance the gaming experience. Players are willing to pay real money for these items to avoid the hassle of relying on luck/RNG to obtain them in the usual way via gameplay, which usually takes thousands of hours to achieve. For example, in the MMORPG ‘Runescape’ there is a rare item called a ‘3^rd Age Pickaxe,’ available. Players are willing to ‘real world trade’ (i.e. pay in person as opposed to in-game money, which is against the game’s terms of service and therefore a bannable offence) and will pay up to $3,899.99 for one. This means that accounts which have obtained the valuable items are targeted by hackers to steal these items to then trade for real money.

This has led to a rise in two-factor authentication for users to login to their accounts. While seasoned gamers are aware of the cyber threats, the casual gaming users are not (generally). There is therefore a gap in education between the growing audience/customer base. It is now standard practice for games with an online multiplayer element to offer two-factor authentication and to highlight the risks posed to users.

Game companies themselves may be targeted for their intellectual property and held to ransom for payment (almost always a crypto-currency payment). Rockstar Games Inc (“Rockstar”) in America was hacked by a group (among several other tech companies) in September 2022. A teenager from Oxford who was a member of the group, managed to hack Rockstar from a Travelodge Hotel with an Amazon Firestick, his mobile phone, and the hotel’s television in order to successfully leak various clips online. Rockstar claimed the hack and the subsequent leak cost them $5,000,000.00 and thousands of staff hours.

Technology

Deloitte described the ‘high-tech sector’ as “ground zero for cyber-attacks”. This is usually because the software/tech being created is at the cutting edge of development. This, therefore, means there is a higher chance that there will be faults/flaws/bugs in the software which can be easily exploited. As noted above, the hacking group that targeted Rockstar also targeted several other tech giants, causing damages in excess of $10,000,000.00. Tech companies face increasing pressure to ensure their systems are close to impenetrable to avoid substantial costs in the long term.

There are two usual targets for a cyber-attack against a tech company. Intellectual property (“IP”) or personally identifiable information (“PII”) (PII is any data set that includes your full name, address, or financial information). IP is property of the tech company, and the PII is data belonging to the users, or employees but controlled by the company (usually). Certain users may also have their accounts hacked in order to scam other users. No doubt you, or someone you know, has had a social media account hacked and “spam messaged” their entire friend/follower/connections list with a link to buy some sort of product (which is usually a link to some trojan-horse/ransomware, or a way to get a direct payment, fraudulently).

IP protection is essential for tech companies to maintain competitiveness. However, certain companies who may engage in politically sensitive activities (such as Palantir) become targets to activist hackers (commonly known as ‘hacktivists’).

Other nefarious actors are a threat to companies incorporated in England and Wales. Readers may remember the NHS WannaCry virus in 2017. The major flaw in the NHS systems was that the software had not been kept up-to-date, and therefore could be easily exploited. The UK and USA governments both declared that North Korea was behind the attack, but to date, this has not been confirmed by North Korea. Rogue states and political rivals (such as Russia, China, and Iran) are increasingly weaponizing cyberspace and attacking major tech companies with contracts with government bodies in order to destabilize critical infrastructure in the UK.

For example, Amazon Web Services (AWS) recently secured a 36-month contract with various UK government organisations (including HMRC) for £894,000,000.00, which would no doubt make AWS’s systems a major target for state-sponsored hacking. Some companies have begun employing white-hat hackers to attempt continuously to penetrate their IT systems, to spot bugs/entry points in the company’s security software as a preemptive measure. Companies should therefore ensure they have suitable cyber-insurance coverage to limit the scale of monetary damage that may be caused by a breach, and ensure they are consistently and constantly training employees in the key indicators of potential cyber threats.

For digital creators who provide ‘digital content subscription services’ (i.e. online content that must be paid for to access), they may be targeted by hackers who leak the creators’ content on social media sites or other torrent sites, as a means of trolling/shaming the creators (i.e. no particular justification).

Remedies

The NCCU is underfunded, under-resourced, and ineffective when responding to cyber threats that do not involve critical infrastructure. Furthermore, the NCCU does not have jurisdiction to prosecute many hackers, as they carry out their attacks against UK businesses and individuals from overseas, predominantly in India, Russia and Egypt. Therefore, victims of cyberthreats have little recourse to justice, save for some civil remedies.

1. Injunctions against websites/publishers and the press

In the Rockstar hacking example, GTA VI’s publisher, Take Two Interactive had to devote significant resources to take down leaked content online to websites such as YouTube, and other social media sites. Griffin Law has experience in applying for and obtaining injunctions against websites preventing publication of stolen data/IP (in one instance, for a celebrity whose intimate photographs had been stolen after their iCloud account had been hacked).

2. Injunctions against persons unknown

Griffin Law has experience in applying for, and obtaining, injunctions against ‘persons unknown’. Once the injunction has been obtained, we can then work with third parties to unmask the defendant. Griffin Law has previously acted for claimants who had been harassed online by anonymous trolls, tracking the users down via their IP Address, revealing their true identity, and pursuing them for damages. Once an injunction has been obtained against the hacker (persons unknown), we liaise with law enforcement and other agencies to track down the anonymous hacker to enforce the injunction and obtain a judgment against them.

3. Asset Tracing and International Enforcement

Most of the time, when assets have been unlawfully obtained via fraudsters or hackers, there will be an effort to move those assets overseas. Once a judgment has been obtained in the Courts of England and Wales as outlined above, we can then assist in enforcing that judgment in the foreign jurisdictions with the assistance of third-parties in the relevant jurisdiction. Griffin Law has experience in identifying persons unknown, tracing the stolen assets, and then enforcing the judgment overseas in order to secure compensation via an international network of third-parties. Furthermore, depending on the circumstances, we may be able to freeze the assets of the fraudster/hacker responsible and ensure that any ill-gotten gains are not dissipated.

If you or your company has been hacked and have been subject to fraud (or blackmail/sextortion) you should seek immediate legal advice.

Griffin Law is a dispute resolution firm comprising innovative, proactive, tenacious and commercially-minded lawyers. We pride ourselves on our close client relationships, which are uniquely enhanced by our transparent fee guarantee and a commitment to share the risks of litigation.  For more details of our services please email justice@griffin.law or call 01732 52 59 23.