Privacy lessons in the latest Words With Friends data breach


As a privacy attorney, I have a few tips and tricks to limit my risk from data breaches. I have maybe a half dozen account passwords depending on the account. Is it something unimportant? That is one password. They escalate, depending on the type of account and when I created it. I also limit what and where I give my information. My bank account password is much more complex than my Skymiles account password I like to think I take a lot of appropriate steps to limit my info ending up on the internet. I know the repercussions, I plan accordingly, and yet, I get the same emails everyone else gets when hackers get my information.

The Words With Friends Hack

On December 19, 2019, I woke up to a data breach notification from a company called Zynga. I had never heard of the company, but they made Words With Friends, a game I played for a few months in 2010. The hackers got my Words With Friends account info, and I never even got word about the hack from Zynga. I received notification from my web browser. Thank you, Firefox. By the end of the same day, I received a breach notification from Wawa, a gas station chain.

Two hacks I found about on the same day! These included my email address, password, credit card information, name, and likely some location information. No one has hacked Zynga to get access to my Words With Friends account, even though I think I had a pretty good win/loss record back in 2010. No one hacked Wawa to see what I purchased.

What this means for victims of the hack

These hackers will automatically plug in my info from these accounts to more valuable sites. If I used the same email and password combination I used for Words With Friends for my Uber account, the hackers could steal my account and sell that info to 50 people while I am still sleeping. I definitely do not want to wake up with hundreds or thousands of dollars of Uber rides on my account. Did I use the same login for Words With Friends as I did when I set up my bank account? Probably not. Yet, I have to wonder if someone can now access my bank accounts, credit accounts, or if they are just out there challenging others to games of Words With Friends.

The problem with data breaches isn’t that someone can find out what sort of sandwich I buy at Wawa, but using that hacked information elsewhere.

How businesses can protect themselves

This is where data minimization and data retention policies could help. Zynga obviously held a lot of information on my data usage, despite me not having so much as logged for nearly a decade. Have they learned anything about my game usage? Maybe, back in 2009. Have they learned anything or made a single cent on that data in the last decade? Probably not. Instead, I am probably going to cost Zynga money in a class-action lawsuit.

Zynga, and nearly every company I advise, likely had no data minimization or data retention policies. Too many organizations, ranging from single-person startup to billion-dollar corporation, keep all their data, even long after it becomes useless. The old days are long gone of data only taking up physical space in a filing cabinet. Each piece of data a company holds onto is a liability with a real cost. There is a cost to hold onto personally identifiable information, even if the business hopes to monetize the data in the future.

What is data minimization?

Data minimization means your company collects only the basic information needed to complete a specific task. Did Words With Friends need my email address? Probably not, but now hackers will try using my Words With Friends password to log into my attached email account. They will also try that email and password combination on dozens of other sites, just in case I used that same information for my login. If they can use that information to get into my bank account or put in for a tax refund, I could be out tens of thousands of dollars. My next step would be to sue Zynga for that amount, making their attorneys ask, “Why did we even need to collect this information?”

What is data retention?

Data retention should mean your company sets a lifecycle on all personal information. At a specific date, time period, or event, that data needs to be secured, anonymized, or deleted. Zynga, if they had a data retention policy, would have required deleting or anonymizing personal information after it became useless. Can they learn anything from my old information? They probably are not running analytics on how I used an ancient version of their app. The data retention policy would say there is no reason to keep all of this personally identifiable information, as it is just becoming a major liability. In the upcoming class-action lawsuit against Zynga, their attorneys will inevitably wonder to themselves, “Why did we even need to keep this information?”

Words With Friends has made Zynga a lot of money, and now it will cost them a lot of money. The company is nearly guaranteed to spend millions in legal fees, millions in settlement fees, and perhaps millions in fines. What is also nearly guaranteed is Zynga will finally implement data minimization and data retention policies, if the costs do not put them in bankruptcy. Consider this a very expensive and embarrassing lesson in the value of a comprehensive privacy policy.