The lights are on
Microsoft said today it's investigating claims that the Xbox 360 console stores personal information, including credit card numbers, on the hard drive even after its been restored to factory settings.
Researchers at Drexel University claim to have purchased a refurbished Xbox 360 from an authorized retailer and extracted personal data from the console's previous owner using mod tools downloaded from the Internet.
"We are conducting a thorough investigation into the researchers’ claims," said Jim Alkove, General Manager, Security of Interactive Entertainment Business at Microsoft, in a statement sent to Game Informer. "We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers’ claims.
"Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."
Speaking to Kotaku, researcher Ashley Podhradsk said Microsoft needs to do a better job at protecting customer data. "I think Microsoft has a longstanding pattern of this," she said. "When you go and reformat your computer, like a Windows system, it tells you that all of your data will be erased. In actuality that's not accurate—the data is still available... so when Microsoft tells you that you're resetting something, it's not accurate.
"There's a lot more that needs to be done."
We'll update this story if we hear anything new from Microsoft.