Almost two weeks ago, we revealed the major changes that had happened this year in the major data breaches top of all times. 2011 was leading in what the number of high profile of breaches is concerned. The top might change once more, ensuring an even stronger position for the current year as hackers hit Steam, a gaming giant that is home to 35 million user accounts.

What we know so far is that the Steam customer data base has been indeed accessed by hackers.

“We learned that intruders obtained access to a Steam database in addition to the forums,”  said Gabe Newell, co-founder and managing director of Steam parent company Valve. “This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”

While the most sensitive account information was encrypted and there is no evidence that the hackers stole any of the details in the database or that they attempted to misuse any credit cards, Valve advises users to keep a close eye on credit card activity for the time being.

“We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords, which are separate from forum passwords,” Newell’s statement explains. “However, it wouldn’t be a bad idea to change that as well.”

Let’s all keep our fingers crossed and hope only a few forum accounts have been compromised and the 35 million records are safe.

We have recently written quite a few pieces on hacking, hacker-caused data breaches, and other such incidents. As we kick off the week and this first month of fall, more pieces of news along the same line come to our attention.

Two students hacked into the Birdville Independent School District’s servers and ran across a file containing 14,500 student names, ID numbers as well as social security numbers.

Borlas.net was also the playground of hackers. After managing to access their files, the hackers responsible for the security breach also leaked names, passwords, emails and phone numbers of nearly 15,000 registered users.

Another school district, El Paso, was also targeted by hackers. The accessed names, birth dates, social security numbers and addresses of both students and district employees.

Fans of the Star War Galaxies MMORPG game were targeted by hackers. The ObSec group hacked into a fan site and leaked 21,000 email addresses and 23,000 passwords.

The Texas Police Chiefs Association (an organization related to law enforcement could not have missed this list of incidents) was also hacked into and those responsible leaked 25 email accounts of members, along with contents.

If this keeps up, hacking will become the main cause for data loss this year. And as bigger and smaller such groups keep making the news and few are ever caught, they really have no reason to stop.

Mid-August seems to have been the perfect time for a fresh increase in hacking incidents that lead to sensitive data being lost or exposed. Maybe the security incidents have been powered by all the news on Anonymous and LuizSec of late, or maybe companies still don’t know what they’re facing. The truth is the simplest hacks seem to get straight to the sensitive information they store on their projects, their partners and mostly their clients.

The first such incident targeted Epson Korea, where a website hack managed to compromise the details of about 350,000 customers. The data accessed by hackers included names, user IDs, passwords and resident registration numbers.

Another company where hackers ran amok was Vanguard Defense Industries. One of their contractors’ personal email accounts was breached, exposing internal memos and personal details on employees. Of course, the ever sensitive defense info the person in question emailed about was also accessed by hackers.

GOM TV also fell victim to a hack which revealed their users’ login ID and passwords, and other details such as country, email address and real names. And because those related to law enforcement never manage to stay safe, the Bay Area Rapid Transit (BART) Police Officers Association was also targeted. The security breach exposed the personal details of 100 police officers that were part of BRAT.

Last in our roundup of data breaches caused by hacking is the Purdue University incident. Over 7000 former students and faculty members have been affected, the hackers exposing their social security numbers.

This is all for now and I wholeheartedly wish you a safe and hacker-free week!

Hackers targeting the Hong Kong stock exchange have managed to do enough damage to force them to close afternoon trading for seven listed companies. The attack targeted the news section of the stock exchange and managed to severely disrupt day-to-day activities.

The news website, which publishes companies’ regulatory filings, started going down at noon, however according to Hong Kong stock exchange representative, the trading part of the website had not been breached. The stop in trading that affected HSBC, Cathay Pacific Airways and the Hong Kong Exchanges & Clearing, which runs the stock exchange, was a necessary measure as all had released price-sensitive information earlier in the day. As the fresh news could not be accessed, it was safer to end the afternoon trading for the seven companies.

“Our current assessment is that this is a result of a malicious attack by outside hacking,” said Charlies Li, chief executive of Hong Kong Exchanges & Clearing.

The partially closed trading session affected stocks that made up 18% of the Hang Seng index’s weight. Moreover, this is a historic first – the first time the Hong Kong stock exchange has to suspend trading for technical reasons.

Photo source

According to the PlayStation blog, the 70 million users of Qriocity and PlayStation Network may have had their personal information compromised due to a successful hacker attack. Also the network has been shut down since April 20th and users have been unable to download content or play online.

The hacker attack resulted in personal information such as names, home addresses, e-mail addresses, birth dates and passwords being compromised, but the damage to credit card information has not yet been assessed.

“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility,” said Sony Computer Entertainment and Sony Network Entertainment, which manage the two services, in a joint statement.

It is however certain that although purchasing histories, answers to security questions, card expiration dates and billing addresses could have been stolen, the credit card security codes were kept safe.

Sony strongly advises its customers to place fraud alerts with their credit bureaus and periodically check their credit card statements.

As to the exact number of compromised accounts, the company refuses to comment, this general attitude raising spirits and angering users.

“You waited a WEEK to tell us our (personal) information was compromised?” one PlayStation user wrote on a Sony blog. “That should have been said last Thursday” — the day when Sony first acknowledged the issue.

Apparently, the intrusion occurred between 17 and 19’th of April. On April 20, PlayStation and Qriocity networks have been shut down and continue to remain so until further notice, but according to some reports, the PS network my be down for another week.

Personal information of more than 760,000 of the current and former Ohio State University students, faculty and staff was repeatedly compromised earlier this year by hackers who managed to access an unsecured university server. Starting this week, according to an advisory posted on the university’s website, school officials said they began sending out notification letters all affected individuals.

A routine IT security review discovered the breach, during late October. This breach allowed hackers to access student and staff files containing names, social security numbers, birth dates and addresses.

Once the breach was discovered, university officials immediately “isolated” the server and “launched a thorough investigation including use of some of the nation’s best cyber forensic consultants.”

According to investigators the unauthorized access was used to launch cyber attacks on other online businesses, which remain undiscovered for now.

“Although we firmly believe that this incident has not and will not result in identity theft, we are exercising an abundance of caution and will notify affected individuals,” university officials said in the advisory.

Ohio State became the second Big Ten Conference school that acknowledged a major security breach recently.

Another victim of security breaches, The University of Wisconsin has been warning students and faculty of a database breach in the last months. This breach exposed more than 60,000 individuals’ social security numbers and other sensitive information.

Officials at both schools said they’re in the process of reviewing all security procedures and policies to prevent future intentional or accidental security gaffes.

At this moment, state schools and universities are among the most targeted government agencies to suffer data breaches. According to Application Security, more than 2.3 million files have been breached at U.S. colleges since 2008.

One year of free credit monitoring services for all affected students, former students and staff will be provided by Ohio State, according to officials.

A recent DOS attack on an Eugene School District server managed to succeed in breaching their security and access the said computer which contained the names, employee ID numbers and phone numbers of about 2500 current and former employees. While other sensitive information such as security numbers were not stored on the breached machine, the server was connected with others (apparently protected by other security systems as well), that contained private details on a total of 26000 people and vendors.

Luckily all student data are stored on different networks of the Eugene School District, so none of those studying in the region have been affected. The supposed breach seems to have only affected adults.

Yet the safetly of the 26000 different records is in no way guaranteed. There is no proof of further breaching, but there isn’t any to show there was none either. In the mean time, the breach is being investigated, while the school district’s website has been updated with information on the breach.

“A thorough investigation of the security breach has been initiated, police have been notified, and the district has taken measures to further safeguard the involved server,” the district said. “We are continuing to assess our information security systems to make certain that we have all appropriate measures in place to ensure that personal information is secure. We sincerely regret any inconvenience this may cause to our staff and vendors.”

More information here.

Military personnel included in exposed group of carpooling employees

A website built to help commuters carpool to work is exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation. The reason for the data breach was caused by programming errors in the website code.

The bugs, discovered on the RideMatch.info website enable hackers to easily access personal information such as names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. According to a recent article published by The Register, the SQL injection vulnerability was still active 2 days ago, although it has been discovered two weeks before and reported to a developer who runs the website.

The issue has been discovered and reported bu Kristian Hermansen, a security researcher. Upon receiving a form to fill in by his employer, apparently a legal requirement for all employees, he investigated the website where the information was to be posted.

RideMatch.info is a joint project developed by transit authorities in five regional governments in Southern California. Each individual using the website enters work and home addresses and the time they leave from each. Based on the data, the website then teams them with others who live and work nearby and commute at similar times, thus providing an effective carpool matchmaking services. Too bad the same range of data can be accessed by any hacker willing to exploit the vulnerability!

The “I am legend” of the hacking and data theft world, Albert Gonzales, decided to plead guilty and now faces 15 to 25 years in jail. Gonzales is accused of masterminding a hacking circle that stole 130 million credit and debit card numbers from major retail chains such as Barnes and Noble, T.J. Maxx, Sports Authority, and OfficeMax.

According to The Register, Gonzales, who also used to be a government informant, agreed to plead guilty to 19 felony counts in Massachusetts by September 11. He also intends to plead guilty to a New York indictment accusing him of similar crimes that targeted 11 Dave & Buster’s restaurants. And that’s not all!

The deal does not cover a third indictment in New Jersey against Gonzalez related to the alleged theft of data from more than 130 million credit card accounts from card payment processor Heartland Payment Systems and retailers Hannaford Brothers and 7-Eleven.

In what money is concerned, Gonzales will also say goodbye to nearly 1.65 million US dollars in cash, his Miami condominium, a 2006 BMW, laptop computers, three Rolex watches, and then some more!