Hackers have broken into two websites belonging to Japanese video game maker Square Enix. Just hours after Sony began its steps to fully restore its PSN service following a cataclysmic hacker attack, Square Enix confirmed their own security breach, though admitted it was smaller than previously thought on May 13.
Square Enix Holdings, creator of mega hits such as Final Fantasy and the Dragon Quest series, confirmed that the e-mail addresses of up to 25,000 customers who had registered for product updates may have been stolen. Additionally, theresumes of 350 people applying for jobs in its Canadian office could also have been copied from the web servers.
Square Enix apologized for the breach of data and immediately shut down the hacked websites. The websites that were attacked were Eidosmontreal.com, a subsidiary company owned by Square Enix, and Deusex.com, a website for an upcoming game from the Deus Ex series.
"Square Enix can confirm a group of hackers gained access to parts of our Eidosmontreal.com website as well as two of our product sites. We immediately took the sites offline to assess how this had happened and what had been accessed, then took further measures to increase the security of these and all of our websites, before allowing the sites to go live again," Square Enix said in a statement sent to VG247.
"Eidosmontreal.com does not hold any credit card information or code data, however there are resumes which are submitted to the website by people interested in jobs at the studio. Regrettably up to 350 of these resumes may have been accessed, and we are in the process of writing to each of the individuals who may have been affected to offer our sincere apologies for this situation," the statement continues.
However, Sqaure Enix insists that while personal data such as up to 25,000 email addresses and resumes for jobs at Eidos Montreal – of which 350 were accessed – no credit card data was stolen due to the websites not holding any such data.
The company has made no indication as to whether they knew who was responsible for the attack. It was rumored that after the attack the hackers left messages that said "owned by Chippy1337″. Other known hacker names appeared on the websites too, such as ‘evilhom3er' and ‘XiX', but it is thought that the real hackers may have just used these names as a cover-up. An expert computer forensics team and the FBI have become involved in working to identify the hackers.
According to KrebsOnSecurity.com, the hackers may be part of a "splinter cell of the hacktivist group Anonymous." KrebsOnSecurity.com claimed that they had obtained an archived copy of the attackers' online chatter as they were covering their tracks from compromising the sites.
"A hacker using the alias "ev0″ discusses having defaced the sites and downloaded some 9,000 resumes from Eidos. ev0 and other hackers discuss leaking "src," which may refer to source code for Deus Ex or other Eidos games. In a separate conversation, the hackers also say they have stolen information on at least 80,000 Deus Ex users and that they plan to release the data on file-sharing networks."
Graham Cluley, a consultant at the security firm Sophos, warned that both leaks could cause problems for the individuals concerned. "With the e-mail there is a danger that gamers could be e-mailed by someone pretending to be from the company who gets them to click on a link or run some malicious software," he told BBC News. "The resumes are a blueprint for identity theft. They have everything that scammers want. The only thing missing is credit card information."
It should be noted that this case involving Square Enix is the second major leak in the gaming industry in recent weeks. In the end of April 2011, hackers managed to crack the online service PlayStation Network from Sony, compromising the data of about 100 million users. The frequency of information data breach is only going to increase if organizations and companies fail to pay attention to the vulnerabilities of their network security.
Companies need to implement robust information security initiatives, including having a proficiently skilled IT security workforce, in order to avoid cyber attacks and security breaches. IT security professionals can increase their information security knowledge and skills by embarking on advanced and highly technical training programs. EC-Council has launched the Center of Advanced Security Training (CAST) to address the deficiency of technically proficient information security professionals.
CAST will provide advanced technical security training covering topics such as advanced penetration testing training, Digital Mobile Forensics, Cryptography, Advanced Network Defense, and advanced application security training, among others. These highly sought after and lab-intensive Information Security training courses will be offered at all EC-Council-hosted conferences and events, and through specially selected authorized training centres.