Gaming industry yet to learn lessons from Sony hack

Sony has been counting the cost ever since it was forced to admit that its PlayStation Network and Online Entertainment service had hacked, potentially exposing more than 100 million users to fraud.

Sony’s initial estimate put the damage at £104m, but pundits said the biggest loss would be in reputational damage as lack of confidence hit Sony’s share price, with the share price falling 55% in the six months after the company revealed the hacking on 27 April.

Despite the fact that the incident was highly publicised as one of the biggest data breaches in history, other gaming online gaming operators appear to have failed to lean any valuable lessons.

Just over six months since Sony’s computer systems were breached, comes the news that the Steam video game service of the gaming distribution company Valve was hacked last weekend, potentially exposing the personal details of 35 million users.

Valve discovered the breach of the user database while investigating a security breach of its discussion forums, in which the attackers sole login details to access the user database that held ID and credit card data, according to the BBC.

But according to Valve, there is so far no evidence that credit cards are being misused or Steam accounts abused. The company says there is also no evidence that the encrypted credit card data or personal information had been taken.

Sony’s data breach should have made the whole industry sit up and review their security much more seriously, says Mike Smart, EMEA product and solutions director at security firm SafeNet.

“Hopefully this new attack will puncture any complacency that persists in this and other sectors and ensure more is done to secure consumer privacy,” he says.

According to Smart, many organisations are still relying on basic data protection which exposes social data to security risk, while they should be encrypting all data, securing data at all stages of the data lifecycle, and storing encryption keys safely outside the data centre.

Valve claims the credit card data was encrypted, but Smart says that despite recent breaches, some online businesses are still not grasping that all critical data needs to be secured from the threats of insider risk, abuse or theft.

In light of the Steam hack, all online entities with discussion forums need to review their data security and deal with any weaknesses, says Liz Fitzsimons, senior associate at international law firm Eversheds.

Ensuring that sensitive data or data vulnerable to misuse has extra protection is very important and may reduce the risk of a monetary penalty by the Information Commissioner of up to £500,000.