Governance & Risk Management , Incident & Breach Response , Privacy
Words With Friends Breach: Zynga's Case Set for ArbitrationJudge Says Users Agreed With Arbitration When Accepting Terms and Conditions
Yet another lawsuit filed in the wake of a data breach appears set to not result in a jury trial.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
In 2019, San Francisco-based mobile game developer Zynga suffered a data breach that exposed users' personal details, including email addresses, passwords and some phone numbers and Facebook IDs. As a result, the company faced four class action lawsuits.
But last week, a judge ordered that the case be thrown out, although she has left open the door for plaintiffs to amend their complaint. "The court grants the motion to compel arbitration and grants the motion to dismiss for lack of standing with leave to amend," U.S. District Court Judge Yvonne Gonzalez Rogers wrote in her Friday order.
Her reasoning: Users whose data was exposed agreed to terms and conditions specifying that any disagreements would be resolved via arbitration, and they also haven't been able to prove they suffered any financial harm from the breach.
2019 Data Breach
Founded in 2007, publicly traded Zynga is known for games such as FarmVille and Words With Friends, a popular multiplayer word game that is similar to the classic board game Scrabble. Earlier this year, the company said it had 164 million monthly active users.
On Sept. 12, 2019, Zynga warned customers that it had suffered a data breach (see: Zynga's Breach Notification: How Not to Inform Victims).
"Cyberattacks are one of the unfortunate realities of doing business today," the company's initial data breach notification stated. "We recently discovered that certain player account information may have been illegally accessed by outside hackers. An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement."
As The Hacker News reported at the time, a prolific Pakistani hacker known as Gnosticplayers claimed to be behind the attack, resulting in the theft of customer account information for more than 218 million users of Words With Friends.
"Hundreds of millions of people, including plaintiffs, trusted and believed Zynga's promise to protect their personally identifying information," reads the latest consolidated class action complaint filed on March 12 against Zynga, which includes 27 counts - or causes for action. "Yet despite its promise, Zynga failed to protect its customers' PII by, among other things, using outdated password encryption methods that were banned for use by federal governmental agencies as early as 2010." That's a reference to the site having stored some passwords using the SHA-1 algorithm, which even at that time was an outdated approach that was relatively easy for hackers to crack. Many security experts have long warned organizations to not use SHA-1, but rather to use a fit for purpose password-hashing algorithm, such as bcrypt.
Zynga has continued to argue in court that the lawsuit should be moved to arbitration. After the consolidated class action was filed on April 27, Zynga again made a motion to compel arbitration for part of the claims, as well as to dismiss the other parts of the lawsuit, asserting that they had no Article III standing and also failed to state a claim.
Repeat Breach Difficulty: Proving Injury
Seeing lawsuits get filed by U.S. residents after their personal details get exposed in a data breach is common. But so, too, is seeing those lawsuits get dismissed after judges rule that the "plaintiffs' bar" - the group of attorneys representing plaintiffs - failed to prove that victims suffered an actual or threatened injury, under what's known as Article III standing, legal experts say (see: Why So Many Data Breach Lawsuits Fail).
In cases in which financial information, such as bank account or credit card numbers, has been exposed, the relevant financial services firms will often directly reimburse any losses.
In some cases, courts have allowed lawsuits to proceed because of the identity theft threat posed by exposed information. When that happens, defendants typically agree to settle a case, rather than risk a jury imposing an unexpected penalty and an unfavorable precedent being set (see: Zappos' Offer to Breach Victims: A 10 Percent Discount).
Following the breach notification, a Zynga spokeswoman declined to tell Information Security Media Group what types of data were exposed.
But Gnosticplayers told The Hacker News that compromised Zynga information included:
- Email addresses;
- Zynga login ID;
- "Hashed passwords, SHA1 with salt";
- Password reset tokens, if they had been previously requested;
- Phone numbers, if provided by a user;
- Facebook ID, if provided by a user;
- Zynga account ID.
The plaintiffs also alleged that "credit card information and other personally identifying information" might have been exposed, and that approximately "172 [million] to 218 million user records" in total appear to have been compromised.
As a result of financial information allegedly having been exposed, the plaintiffs said that "since the Zynga data breach, Zynga's customers have been exposed to credit and identity theft, 'credit stuffing,' phishing scams and other illegal and fraudulent conduct perpetrated by the criminal actors who have come into possession of the stolen PII, either through purchase of the same on the dark web or through the theft of the PII during the data breach itself." The lawsuit says some of the victims included minors, and notes that Zynga offered no credit monitoring services to victims following the breach.
No Article III Standing
The judge, however, wasn't convinced that the data breach victims faced any actual financial damage. As a result, the Zynga case appears set to move in a different direction: to arbitration. This typically involves a former judge agreeing to hear both sides and then issuing a legally binding decision, although this can sometimes be appealed to another arbitrator.
In her order, Rogers wrote that the plaintiffs had agreed to Zynga's 2019 terms and conditions, which included an arbitration agreement, and found that the plaintiffs had entered no valid challenge against that clause. She upheld Zynga's motion to dismiss this part of the complaint, although she gave the plaintiffs time to amend their complaint.
In terms of damages, "the court finds that, as currently pled, the complaint fails to establish a sufficiently concrete injury-in-fact as required for Article III standing," Rogers wrote. "Specifically, plaintiffs have not sufficiently alleged an invasion of privacy or a risk of future harm based on the information allegedly stolen in the breach." Accordingly, she upheld Zynga's motion to dismiss this part of the lawsuit based on lack of Article III standing, although she again gave the plaintiffs the opportunity to amend their complaint.
As that indicates, the case isn't over yet. Plaintiffs have until Aug. 27 to file an amended complaint, and Zynga has until Sept. 20 to respond. "Should the amended complaint survive an Article III standing challenge, Zynga shall be permitted to reassert its challenge to the merits," the judge wrote.