Valve notified users of the company's extremely popular online Steam gaming platform on Thursday that cyber-criminals had succeeded in stealing its Steam customer database in addition to hacking the online service's user forums last Sunday evening.

"We will reopen the forums as soon as we can," said Valve co-founder Gabe Newell in an online statement. "I am truly sorry this happened, and I apologize for the inconvenience."

Valve said it had encrypted the credit card information from customers stored on the company's servers. "We don't have evidence of credit card misuse at this time," Newell noted. "Nonetheless you should watch your credit card activity and statements closely," he advised.

In the wake of the notorious hacker attacks on the Sony PlayStation and Sony Pictures web sites earlier this year, companies doing business online have become more cautious about how they handle sensitive information, such as customer credit card numbers and other personal identification details. Still, Sophos security expert Paul Ducklin thinks companies like Valve could do more.

"Send an email to Steam asking why they encrypted credit card data and passwords, but apparently not the rest of its users' personally identifiable information," Ducklin advised Steam account holders in a blog. "In fact, send an email to every company with whom you do business online, and ask them how much of the data they hold about you is encrypted."

An Excellent Starting Map

Too many companies are simply treating payment card industry (PCI) compliance as if it were just another box they needed to check without thinking things through, Ducklin noted.

"They have taken the whole issue of PCI compliance as a security destination to be reached, rather than an excellent starting map for their security journey," Ducklin wrote.

Valve first became aware of the Steam intrusion last Sunday, when hackers defaced the online gaming platform's member forums...

2011-11-11 23:54:24