Sega Falls Victim: 1.29 million customer records hacked

Sega is the latest company to admit to being hacked and has admitted that in a recent attack on its computer systems, the personal details of 1.29 million customers was stolen.

The news first emerged on Friday when they said that the email addresses and dates of birth of customers on its Sega Pass database had been accessed by hackers. Now the larger admission will be hugely embarrassing to the company.

Sega remain committed to a statement though saying that the credit card details of customers remained safe. This will come as little comfort though to over a million people who can change their credit card details but not their date of birth or mother’s maiden name.

A spokesperson for the company said “We are deeply sorry for causing trouble to our customers. We want to work on strengthening security.”

Sega informed customers over the weekend with an email confirming an “unauthorised entry” to their computer systems and announcing that they were conducting an investigation into the breach.

The company said it had automatically reset the passwords of every Sega Pass customer and they urged them to change their log-in details for other websites where they used the same username and password combination.

This data was accessed because, the same as Sony which has also had millions of customer details stolen, the basic information about their customers was not encrypted. Thus when hackers gained access to the information it was all in plain text and easily steal able.

Nintendo, which has also been the subject of a hacking attack reassured customers afterwards that the hackers had failed to penetrate their systems.

Their will be continued calls now from all sectors and from governments to make sure that all the personal details of every individual, whether they reside on a company or a government server, must be encrypted. People such as you and I share our personal information with these companies in good faith and expect them to treat it as personal and secure. We wouldn’t, for instance, pass the information over an insecure website that does not display a padlock and have a current security certificate. Why then should we assume that the information won’t be encrypted when it arrives at the server at the far end?

This is an appalling mess all round and many people will now be thinking very carefully about what information they share and with which companies they share it. A debate should also be reiased as to how much of this information companies actually need. For instance, while it can be argued that games companies need dates of birth to ensure that under-age gamers do not get access to titles that have an age rating that is inappropriate for them, does a credit card with a matching name on the account also provide the same age verification?

The hacking group Lulz Security which has been involved in a number of high-profile attacks, including on Nintendo, denied any responsibility for the Sega hack. They instead expressed sympathy saying on their Twitter stream “We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down.”