Microsoft is looking into a potential security issue affecting its Xbox 360 video game console this week after a group of college students claimed they were able to extract the credit card information of a console’s previous owner from the machine.
Ashley Podhradsky, Rob D’Ovidio, and Cindy Casey of Drexel University and Pat Engebretson of Dakota State University reportedly bought a refurbished Xbox from a Microsoft-authorized reseller in 2011 and were able to access old files containing the credit card information of the device’s first owner. Despite having its hard drive wiped and its factory settings previously reset, the console was cracked after the students installed a software “modding” tool that allows Xbox owners to install applications that aren’t sanctioned by Microsoft.
Microsoft called the hack unlikely in a statement obtained by ZDNet on Monday.
Jim Alkove, General Manager, Security of Microsoft’s Interactive Entertainment Business division, claimed the company launched an investigation into the hack. Alkove asserted that Xbox 360 consoles are not designed to store credit card data, adding that it was unlikely any information was recovered in the fashion the hackers described.
“When Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data,” Alkove said, “we can assure Xbox owners we take the privacy and security of their personal data very seriously.”
Gawker’s video game blog Kotaku interviewed Podhradsky about the device’s security late last week.
“Microsoft does a great job of protecting their proprietary information,” she told the site, “but they don’t do a great job of protecting the user’s data.”
While the security of Microsoft’s gaming console (Xbox Live phishing attempts, etc.) has been called into question before, this is one of the first reports that claim the console’s physical hard drive may be at risk.
NASA, whose hard drives arguably carry more sensitive information than an Xbox, caught similar heat in 2010 after it was found not adequately wiping, sanitizing and destroying its own hard drives.