An attack on the distribution network of gaming firm Valve has revealed that encrypted credit card transaction data was hacked from a backup database.
According to Techworld, Valve was hacked last November, with attackers believed to have only defaced the website's forum. However, it has now emerged that attackers managed to hack into its user database, which contains details of around 35 million people including user names, billing addresses, details of game purchases and email addresses.
Gabe Newell, co-founder and managing director of Valve, said in a message to the community that there was no evidence that encrypted credit card numbers or personally identifying information was taken by the intruders, or that the protection on credit card numbers or passwords was cracked.
“We are still investigating,” he said. “I am truly sorry this happened, and I apologise for the inconvenience.”
According to PCWorld.com, Valve informed users of its Steam online game distribution platform that hackers probably downloaded encrypted credit card transaction data from a backup database during the intrusion.
In an email sent to Steam users, Newell said: “Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008.” He said he did not have reason to believe that the sensitive transaction data was decrypted, but that this possibility should not be excluded.
Aydin Ucbasaran, UK sales director at SafeNet, said: “It seems there's more to come out about one of last year's big data breaches. Valve have revealed that encrypted credit card data was stolen; the good news is that the credit card details were properly protected as required by PCI, but that's probably not good enough for rebuilding the reputation of the Steam service.
“Organisations need to go beyond simply complying with the basic PCI security requirements and ensure that they have systems in place that ensure the digital keys that protect that data are themselves doubly secure. One of the most common mistakes is to store the digital keys on the same server where the encrypted data resides. This is like locking your house and leaving the key on the lock of the front door.
“Whether this was the case at Valve or not, the latest revelation about what actually happened does beg the question about whether the digital keys are properly secure. What's needed is a stricter approach to security key management that involves storing the digital keys in a hardware-based repository outside the data centre.
“This will not only remove the likelihood of hackers stealing the digital keys, but will also ensure the organisation maintains full control of encrypted data even if it falls into the hands of cyber criminals.”