Security researchers from two universities say they found how hackers can retrieve credit card data and other personal information from used Microsoft Xbox 360s, even if the console is restored back to factory settings and its hard drive is wiped. Microsoft is now looking into their story of buying a refurbished Xbox 360 from a Microsoft-authorized retailer, downloading a basic modding tool, gaining access to the console's files and folders, and eventually extracting the original owner's credit card information.
"We are conducting a thorough investigation into the researchers' claims," Jim Alkove, General Manager of Security in the Interactive Entertainment Business division at Microsoft, said in a statement. "We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims. Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."
Here's what I said the software giant needs to do in my previous coverage:
Microsoft will need to verify whether or not all Xbox 360 hard drives, as well as USB drives that have had profiles transferred onto them, store the sensitive information and why the factory reset option isn't deleting this data. If this turns out to be the case, Redmond will have to offer instructions for what users can do to protect their credit card details, especially if they're looking to sell their console.
I will keep you posted on Microsoft's investigation as this story develops.