Cyber Incident Victim: BigFish Games

On December 24, 2014, attackers compromised the website of BigFish Games, a Seattle-based casual gaming company, by installing malware on its billing and payment pages. The malware remained active until January 8, 2015, intercepting customer payment information entered during new transactions on the company’s websites. According to CTO Ian Hurlock-Jones, the breach potentially exposed names, addresses, payment card numbers, expiration dates, and CVV2 security codes for customers who submitted new payment details within this 16-day window. The attackers did not access previously saved payment profiles or the company’s user databases. BigFish Games discovered the compromise internally on January 12, 2015, after which they removed the malicious software and implemented measures to prevent its reintroduction. The delayed customer notification occurred on February 11, 2015—one month after detection—via individualized letters to potentially affected users.

The company notified law enforcement agencies, credit reporting bureaus, and payment card networks following the breach discovery. Compromised financial data posed significant risks for card-not-present fraud due to the inclusion of CVV2 codes, which facilitate unauthorized online transactions. BigFish Games offered affected customers a complimentary one-year membership to an identity protection service and advised vigilant monitoring of payment account statements for fraudulent activity. No details regarding the number of impacted users or the attackers’ identities were disclosed. Established in 2002, BigFish Games had distributed over 2.5 billion games globally prior to the incident, though the breach’s geographical impact across its 150-country customer base remains unspecified. The company confirmed the malware’s eradication but provided no technical specifics about its operation or the containment measures enacted.