On July 6, 2016, Pokémon Go was released in the United States. Almost overnight, the location-based, augmented reality game became a national, if not global, phenomenon. You cannot turn on the television, listen to the radio, read news headlines, or even walk out your front door without hearing about the game or seeing individuals using their smartphones and tablets to “find” and “capture” digital creatures that virtually appear at specific locations.
While Pokémon Go may sound like a harmless, albeit distracting, “video game,” it poses a risk to cyber security and raises concerns about data vulnerability in company databases and systems.
Games like Pokémon Go require users to download and install an application on the users’ phones or tablets. Users are not always aware if they have downloaded an infected version of the application, which may allow hackers to spy on the victim’s phones and gain access to their data. Some infected versions of the Pokémon Go application have contained a backdoor called DroidJack. DroidJack gives attackers complete access to mobile devices, including user text messaging, GPS data, phone calls, camera—and any business network resources they access.
Even if an employee does not download an infected version of an application, there are still cyber security concerns. Individuals are often quick to download the latest application to access or share data for games like Pokémon Go, without scrutinizing what they are granting the application access to. In the event of a hack targeting a popular application like Pokémon Go, attackers have the potential to access all the data of application users who have not limited the application’s access to their data, including proprietary business information.
In light of the popularity of games like Pokémon Go and the inevitability that similar games or social media applications will become widespread, employers should take measures to deal with how and where business mobile devices can be used to ensure their proprietary information is not being captured by third parties. Electronic device policies can be very effective in limiting an employer’s cyber security risk where the policy requires employees to refrain from downloading and accessing smartphone apps, websites, programs and files that may pose a security risk if the electronic device is used to connect to sensitive corporate information. Employers should also consider updating electronic device policies to require employees to install company encryption software for protecting sensitive data with an agreement signed by employees to not modify the software.