In August 2015, Blizzard employees were at a major cybersecurity conference in Las Vegas, where the company was one of the sponsors and had a booth in the recruiting area.
Emily Mitchell, a security researcher who at the time was looking for a job, approached the Blizzard booth to see what positions were open at the company. Mitchell told Waypoint that she loves PC games, and played Diablo, Blizzard's roleplaying game.
When she got to the table, she said she asked about the penetration testing position. Penetration testing, or pentesting, is the industry term for a security audit. Mitchell said she was wearing a t-shirt made by cybersecurity company SecureState, which had "Penetration Expert" on the front. One of the Blizzard employees first asked if she was lost, another one asked if she was at the conference with her boyfriend, and another one asked if she even knew what pentesting was.
"One of them asked me when was the last time I was personally penetrated, if I liked being penetrated, and how often I got penetrated," Mitchell told Waypoint. "I was furious and felt humiliated so I took the free swag and left."
Last week, the state of California sued Activision Blizzard for fostering a "frat boy" culture and for being "breeding ground for harassment" and discrimination. The lawsuit cited a series of alleged sexual harassment incidents over the years, including drunk male employees going on "cube-crawls" harassing women, jokes about rape, comments on female colleagues' bodies, and groping. In what's one of the more damning incidents alleged in the lawsuit, Alex Afrasiabi, a long-time World of Warcraft developer, used to call his hotel room during a company conference the Bill "Cosby suite [sic]." Several Blizzard employees told Kotaku that the name was a clear reference to Cosby's history of sexual assaults, which were already public at the time.
Like the games industry, the cybersecurity industry has been reckoning for years with a male-dominated sexist culture within companies and at conferences, where male attendees routinely dismiss women, grope them, and harass them, as Motherboard reported in 2016.
Mitchell said she did not report the incident to Black Hat's organizers in 2015, as "I didn't feel comfortable saying anything to anyone at the time because I was a single mom who needed a job, and I didn't want to do anything that may have jeopardized my chances of landing a new job."
In 2017, two years after the Black Hat incident, Blizzard reached out to Sagitta HPC, which is now called Terahash, looking to hire the company for security work. At the time, Mitchell was Chief Operating Officer at Sagitta HPC.
When Mitchell saw Blizzard's request, she said she told the founder and CEO of the company Jeremi Gosney "fuck no," and shared the incident with him. Gosney then wrote a scathing email to Blizzard employees outlining the incident:
"One of my C-suite executives saw that you had been added to our CRM database, and shared a very troubling and upsetting story with me:
Back in 2015 at the Black Hat USA security conference in Las Vegas Blizzard had a recruitment booth in the “Career Zone” section of the vendor area. As the name implies, the purpose of the Career Zone is to connect hackers seeking jobs with companies seeking to employ them. My executive (whom I should clarify was not employed with us at the time, but rather was employed as a senior vulnerability researcher at large security consulting firm) approached the Blizzard booth to inquire about open positions; however instead of discussing potential job opportunities with her, the Blizzard recruiters ridiculed her for being a woman. They asked her if she was lost; if her boyfriend brought her to the conference; if she even knew what the conference was about; if she knew was penetration testing was, and how often she got penetrated; and a slew of other extremely inappropriate and wholly unprofessional questions.”
"As you can imagine, this was a tremendously upsetting and infuriating experience for her. And yet when she shared her experience with other women at the conference, she found that she wasn’t alone—many others had received the same treatment from the Blizzard recruitment booth as well," Gosney's email continued.
He left the door open to work with Blizzard—with some special conditions. Gosney shared his response email to Blizzard enquiry on Twitter in 2017, but redacted Blizzard's name at the time:
“Now, rather than dismiss you and tell you that we will not do business with you, we'd like to give Blizzard the opportunity to redeem themselves. We are committed to combating inequality, and I am calling on Blizzard to do the same. As you may or may not know, today is International Women’s Day. And in honor of this day, we are attaching a few conditions if Blizzard wishes to do business with us:
Condition #1: Blizzard will be charged a 50% “misogyny tax”, the proceeds of which will be donated to Women in Technology International, Girls in Tech, and Girls Who Code.
Condition #2: Blizzard will become a Gold Sponsor of the Grace Hopper Celebration of Women in Computing 2017 conference.
Condition #3: A formal letter of apology from the Blizzard C-suite addressed to my COO, along with verification that all employees have undergone equal opportunity and sexual harassment training in 2017 Q1.”
"We decided to post a redacted screenshot of the email to Twitter to let other prospective clients know that we don't tolerate misogynistic bullshit, but also to let Blizzard know that we were dead serious," Mitchell told Waypoint.
Three sources who have read the unredacted email confirmed to Waypoint that the redacted company is Blizzard. The sources asked to remain anonymous as they were bound by a non-disclosure agreement. Mitchell agreed to share her experience at Black Hat 2015 after Waypoint learned that the email posted by Gosney was about Blizzard.
Mitchell said that after Gosney's email, Blizzard was "eager" to get her on the phone with their lawyers.
"They made it clear that they were not interested in agreeing to any of our terms, just a lot of empty promises that they were taking the report 'seriously,' that it would be investigated internally, and assured me that they do conduct sexual harassment training," she said. "Ultimately it felt like they were more interested in gauging their own legal exposure and placating me."
Blizzard declined to comment.
Do you have a tip to share with us about working conditions at Activision Blizzard? You can contact reporter Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Wire apps “lorenzofb,” or email firstname.lastname@example.org
Chris Fajardo, the director of global security operations at Blizzard at the time of Black Hat 2015, and Mark Adams, who was chief information security officer at Blizzard in 2017, when the company received the email, did not respond to a request for comment via LinkedIn.
Mitchell said she reported the 2015 incident to Black Hat's organizers in 2017, who got on the phone with her, promised they would not allow Blizzard back as a sponsor, and gave her a free ticket to Black Hat USA 2018. According to Black Hat's website, Blizzard has not been a sponsor after 2015.
A Black Hat spokesperson confirmed that they spoke to Mitchell, and that they made that promise.
In 2015 Black Hat already had an official code of conduct that asked attendees to refrain from "discriminatory or harassing behavior." The code of conduct defined harassment as "offensive comments (verbal, written, or otherwise) related to gender, sexual orientation, race, religion, disability."
A spokesperson for Black Hat responded to questions about the incident with the following statement:
"We take allegations of misconduct at our events very seriously. While we can’t comment on any investigations of reported incidents, we can say every event participant agrees to abide by our code of conduct when they agree to participate in Black Hat, from vendors, to sponsors, to attendees and staff," read the statement sent to Waypoint via email. "Anybody who does not comply with our rules will be asked to leave and will be removed from participation in future Black Hat events."
Stefano Zanero, an associate professor at the Politecnico di Milano University who focuses on cybersecurity, condemned the incident.
“This story is appalling, and a stark reminder of how hard it is to be a woman in our industry," Zanero told Waypoint in an online chat. "We need to do better, and I wish all managers and CEOs would do the right thing and have the back of everyone who is harassed and unfairly treated.”
Subscribe to our cybersecurity podcast CYBER, here.