Well, that escalated quickly. In what seems like an instant, Pokemon went from a faded memory to an all-encompassing craze unlike anything we’ve seen before from an app. Nintendo, the company behind Pokemon Go, had its market cap increase by $7 billion since it was released last week. I haven’t played the game, but I can’t stop hearing and reading about it. Pretty remarkable.
Pokemon Go’s success has far-reaching implications for how we use technology, and in particular augmented reality. I loved this article about how companies can use Pokemon Go to drive foot traffic for about $1/hour. But for our purposes, Pokemon Go may present some unexpected risks to information security.
This article from inc. discusses two of these risks. First, Pokemon Go users must login using their Google accounts. But Pokemon Go is then automatically granted full access to the user’s Google account. Thus, Pokemon Go “can see and modify nearly all information in your Google Account.” So, as noted in this blog post, users playing Pokemon Go have granted the app permission to read their emails, send emails, access and delete all Google drive documents, and more. Not good. Particularly if your employees have emailed themselves proprietary information.
The developer of Pokemon Go has since issued a statement that this was a mistake, which will soon be fixed. Regardless, this shows how important it is to keep your employees from sending themselves proprietary information, which should be your company’s policy. In addition, various IT solutions can protect against this practice.
Also, Pokemon Go has only been officially released in several countries. Per the inc. article, people living elsewhere have turned to file-sharing services to download the app:
Because the game is popular, people in other countries are obtaining the Android version through unofficial channels – and hackers have already successfully posted malware-infected versions of the app in some file sharing services. One variant of such a malevolent version of the app was discovered by the security firm Proofpoint and is quite serious: it infects Android devices and allows hackers to access the infected devices via a backdoor.
File-sharing services are notoriously dangerous. You should be blocking access to all such services on all company devices.
Issues like these are well-suited for employee training. Employees need to know that seemingly innocent conduct can expose the company to serious risks.