Nintendo Network Targeted

According to the Wall Street Journal, Nintendo reported Sunday that a server for its US website had been hacked, but that no company or customer information was compromised.  The Lulzsec hacker group, behind other recent high-profile breaches, claimed responsibility.

Lulzsec posted a server configuration file as proof of its involvement, but claimed that it wasn’t targeting Nintendo.  “We just got a config file and made it clear that we didn’t mean any harm” the claimed this morning via Twitter.

Nintendo has reportedly already fixed the exploited vulnerability.  The attack comes as Nintendo is set to launch its new online service for its 3DS hand-held game machine.  The 3DS went on sale in February in Japan and March in the US allows users to play 3-D games without requiring special glasses.  The Nintendo e-Shop, where 3DS users can buy and download games, including some classic title remakes in 3-D, will be available in the US Monday and in Japan Tuesday.

Speculation flows over why this hack was less impacting than the series of Sony hacks, and I would postulate that 3 main  factors have come into play here.

  1. Nintendo would have been very smart to consider the activities going on within their industry as precursors to a pending attack.  It is quite likely that Nintendo examined their own environment and did a little hardening.   I am certain that they would have at least increased their monitoring.
  2. The Nintendo environment is set up quite differently than Sony’s.  It doesn’t look like LulzSec spent the time to probe and research the environment, attempt social engineering, or was unable to.
  3. Third, Nintendo has opted for security over convenience in their daily operations.  They have taken a fair amount of heat from their customers because they do not store credit card information when purchases are made.  The CC information has to be re-entered with every purchase.  If you’ve complained about it before, tip your hat now, because Nintendo didn’t spill your beans!

Other console and gaming networks should pay heed, and other businesses as well.  Learn from the mistakes and successes of others, harden, monitor and store only what is necessary on your networks.