Not on my video playlist! – Customer personal data

Roku mentioned that its security monitoring systems had identified an increase in unusual account activity earlier this year. The resulting investigation revealed in March that cyber attackers had gained access to about 15,000 Roku user accounts, through what is known as "credential stuffing" – this is where login details (namely, user names and passwords) used by individuals on other websites have been compromised, and those same login details are used by those users on multiple sites, which in this case also included Roku’s, in respect of certain of these affected users.

Roku has stated that it identified that it was not the source of the login credentials being compromised. It also notified affected Roku customers of the cyber attack in March. Roku then continued to monitor account activity, and became aware in April of this year, that there had been a second incident, which affected approximately 576,000 additional accounts. In respect of those affected accounts, Roku confirmed that in less than 400 cases, the cyber attackers had made unauthorised purchases of Roku hardware and streaming service subscriptions from the payment information stored in those accounts. However, Roku has also stated that the cyber attackers did not gain access to full credit card numbers or other full payment information. Roku also arranged for refunds to be provided to affected users in respect of these unauthorised purchases.

Following the second incident coming to Roku’s attention, it has implemented two-factor authentication in respect of all of its users. Consequently, going forward, simply using login details alone will not provide access to a user’s account, but an additional security step will be required, whereby a link will be sent to the user’s email account, which must be clicked to provide access to the user’s account.

What are the implications?

The incident is a stark and timely reminder of the vulnerabilities inherent in not only digital services, but also the need for continued vigilance. The implications of such cyber attacks are far-reaching. For individuals, the breach of privacy and potential financial loss are immediate concerns. For organisations, the attack underscores the need for robust cybersecurity measures, including the type of monitoring, and ongoing monitoring, which Roku has stated that it undertook to identify the cyber attacks. The fact that the login credentials were obtained from third-party sources according to Roku, highlights the interconnected nature of online security risks. Organisations must recognise that their security is only as strong as the weakest link in the chain of data custody.

What should organisations do?

Organisations must take a proactive stance to guard against the types of risks that Roku was subjected to. This includes:

• Implementing strong password policies: Organisations should encourage the use of unique, complex passwords, and advise users not to reuse the same login details across different service providers or websites.
• Using multi-factor-authentication: This is essential to provide safeguards against the risks of credential stuffing cyber attacks, by mitigating against the risk of compromised login details being used to provide user account access.
• Having regular monitoring and security audits: Conducting thorough assessments of security measures and updating them regularly, is essential. Also ensuring that there is ongoing monitoring, both before and after a cyber attack, is imperative to identify risks, and mitigate against continuing or new cyber attacks. Roku’s ongoing monitoring was beneficial to seek to mitigate the further adverse consequences which arose after the completion of the evaluation of the initial incident. It also resulted in heightened security practices being put in place by way of the two-factor authentication mentioned above.

The above are examples of some of the learnings from the Roku incident, but robust cyber protection also requires strong technical and organisational mechanisms to be put in place, in addition to the above.

How can we help?

Our specialist technology law team can be instrumental in strengthening an organisation’s cyber resiliency. Before a cyber attack, we can assist with various activities, such as:

• Legal compliance: Helping to strengthen cybersecurity practices by leveraging legal compliance requirements, especially UK/EU GDPR compliance requirements.
• Policy development: Assisting with policy development and deployment to guard against cyber threats, as well as to assist with cyber remediation measures from a legal perspective.
• Risk assessment: Identifying potential vulnerabilities within the organisation from a legal perspective, including by assisting with contractual documentation audits.

After a cyber attack, we can help mitigate risks, including by:

• Legal support: Navigating through the legal ramifications of a breach with regard to any applicable ICO and data subject breach notification requirements (and follow-up enquiries), as well as assisting with legal mitigation and defensive litigation strategies in respect of affected data subjects.
• Communication strategy: Assisting with public relations and customer communications.

In conclusion, the Roku cyber attack serves as a cautionary tale for all organisations. By understanding the nature of such attacks and associated implications, and by following practical guidance, organisations can fortify their defences against such cyber threats. Time and cost invested upfront in cyber protection, is certainly better than having to deal with what could be a brutal, and even more costly and lengthy aftermath.

For further information, or if you would like to arrange a consultation, please feel free to contact us.