When San Francisco-based software developer Niantic Labs in partnership with Nintendo released the augmented-reality game, Pokémon Go, they surely didn’t anticipate either its popularity or its level of danger as players wander out into traffic, travel into dark and unfamiliar areas or drive while checking their game “for just a minute” to capture the next monster or find Lucky Eggs. Yet since its release, Pokémon Go has had more than 15 million individuals downloading the app and raising a host of questions involving potential malware, privacy, liability, property and workers’ compensation issues. One issue that also concerns businesses is when the Pokémon Go app is downloaded on corporate-owned, business-only (COBO) devices and bring your own devices (BYOD), both of which have direct access to sensitive corporate information and accounts.
In fact, IT professionals warn the game could lead to data breaches in addition to encouraging negative behavior. Dr. Barbara Rembiesa, CEO of the International Association of Information Technology Asset Managers, Inc. (IAITAM), said: "The truth is that Pokémon Go is a nightmare for companies that want to keep their email and cloud-based information secure. Even with the enormous popularity of this gaming app, there are just too many questions and too many risks involved for responsible corporations to allow the game to be used on corporate-owned or BYOD devices.”
Furthermore, she goes on to say that IAITAM already has real security concerns over the game and expects these concerns to become much more severe in the coming weeks and months. “The only safe course of action here is to bar Pokémon Go from corporate-owned phones and tablets, as well as employee-owned devices that are used to connect to sensitive corporate information.”
Data breaches and privacy issues became a real concern from the moment the game was initially released. A user discovered that Pokémon Go allowed Niantic Labs to access their entire Google profile, including their history, past searches and anything else associated with their Google Login ID. Although this has since been corrected, for corporate-owned devices the result was, by definition, a data breach, according to Rembiesa. It is unclear in terms of the extent of data breaches that took place prior to the changes, what happened to the information accessed, and how that information was stored and/or destroyed. Moreover, there is nothing in place in terms of rules or regulations that would prohibit Niantic Laboratory from once again seeking access to all or some of this information.
In addition, there are reports that some versions of the Pokémon Go app available from non-official app stores may include software-enabling cyber crooks to remotely control the user’s phone or tablets. In fact, online security firm Proofpoint had already detected knockoff Android copies of Pokémon Go in the wild containing a remote controlled tool (RAT) dubbed DroidJack.
In a recent article in Business Insurance, Alan Brill, senior managing director at Kroll Associates Inc., also stated that there have been reports of phishing involving the game. “Depending on what's on the phone, the bad guys may be able to access data on the phone, and if it’s the employer’s data, it’s really an uncontrolled potential leak situation,” he said.
Brill also stated that risk managers at organizations should work with company counsel to develop policies to address this gaming phenomenon. Policies can include forbidding playing the game on a company-owned device, while driving or during work hours. Having such policies in place “at the very least would provide the company with evidence that it had thought about it and tried to give people advice to protect themselves,” he said.
Speak with your clients about the cyber security risks involving games such as Pokémon Go and be sure they develop policies addressing this new craze.