Activision did not notify employees of data breach for months

On December 4, hackers successfully phished an employee at the games giant Activision, gaining access to some internal employee and game data.

This data breach was not disclosed until last weekend, when cybersecurity and malware research group vx-underground posted on Twitter screenshots of the stolen data, as well as the hackers’ messages on Activision’s internal Slack channel.

But the public weren’t the only ones caught off guard by news of the breach. Activision has yet to notify its own employees of the data breach, and whether their data was stolen, according to two current Activision employees who spoke on condition of anonymity, as they were not allowed to talk to the press.

“This is a problem. If there is employee’s information involved, they should have disclosed the breach,” one of the employees told TechCrunch.

Activision spokesperson Joseph Christinat told TechCrunch that “there are no requirements for a company to notify when there is no evidence of sensitive data access.”

In response to news of the breach, Christinat had previously shared a statement that said Activision “swiftly” responded to an SMS phishing attempt and “quickly resolved it.” According to the statement, the company “determined that no sensitive employee data, game code, or player data was accessed.”

The hacker or hackers were able to access a series of spreadsheets that included employee data such as full names, some telephone numbers, corporate email addresses, and in some cases, the offices where they work, according to a copy of the stolen data, which vx-underground shared with TechCrunch.

Activision, which publishes household games such as Call of Duty and World of Warcraft is in the process of being acquired by Microsoft in a deal valued at $68.7 billion. Regulators in the U.S., the European Union, and the U.K. have opposed the deal.

Activision, which also owns Blizzard, is headquartered in California. The state has a data breach notification law that requires companies to notify victims of data breaches when 500 or more state residents are affected, and mandates that “the disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”

The law defines “personal information” to include Social Security number; other forms of ID such as driver’s license number; California ID card; “tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual”; medical and health insurance data; credit card numbers; and biometric and genetic data.

This story was updated to include a comment from an Activision spokesperson.


Do you have more information about this data breach? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.