Encrypted data was hacked in Valve attack

An attack at the distribution network of gaming firm Valve has revealed that encrypted mastercard transaction data was hacked from a backup database.

According to Techworld, Valve was hacked last November, with attackers believed to have only defaced the website's forum. However, it has now emerged that attackers managed to hack into its user database, which incorporates details of around 35 million people including user names, billing addresses, details of game purchases and email addresses.

Gabe Newell, co-founder and managing director of Valve, said in a message to the community that there has been no evidence that encrypted bank card numbers or personally identifying information was taken by the intruders, or that the safety on bank card numbers or passwords was cracked.

“We are still investigating,” he said. “I am truly sorry this happened, and that i apologise for the inconvenience.”

According to PCWorld.com, Valve informed users of its Steam video game distribution platform that hackers probably downloaded encrypted mastercard transaction data from a backup database in the course of the intrusion.

In an email sent to Steam users, Newell said: “Recently we learned that it's probable that the intruders obtained a duplicate of a backup file with information regarding Steam transactions between 2004 and 2008.” He said he didn't have reason to believe that the sensitive transaction data was decrypted, but that this possibility shouldn't be excluded.

Aydin Ucbasaran, UK sales director at SafeNet, said: “It seems there's more to return out about one in every of last year's big data breaches. Valve have revealed that encrypted mastercard data was stolen; the excellent news is that the bank card details were properly protected as required by PCI, but that's not really ok for rebuilding the reputation of the Steam service.

“Organisations ought to transcend simply complying with the fundamental PCI security requirements and make sure that they have got systems in place that make sure the digital keys that protect that data are themselves doubly secure. One of the commonest mistakes is to store the digital keys at the same server where the encrypted data resides. Here is like locking your home and leaving the main at the lock of front door.

“Whether this was the case at Valve or not, the most recent revelation about what actually happened does beg the question about whether the digital keys are properly secure. What's needed is a stricter option to security key management that involves storing the digital keys in a hardware-based repository outside the information centre.

“This won't only remove the chance of hackers stealing the digital keys, but can even make sure the organisation maintains full control of encrypted data although it falls into the hands of cyber criminals.”