Fanatec has been around in one form or another for over two decades, specialising in high-end and niche peripherals, with a major focus on driving game equipment: steering wheels, pedals, that kind of thing. If you've ordered something from Fanatec, however, you need to start worrying about your data: last week the company's customer database was hacked.
Customers of Fanatec today received the following email from CEO Thomas Jackermeier via a 'no reply' address (emphasis mine).
Dear valued custumer,
We are writing to you because you have a registered account on our online shop at www.fanatec.com.
We are always anxious to keep our IT systems up to date. Data protection and data security are not just empty words for us but have a high value for us. All the more we regret to inform you that our online shop of our company was compromised by a cyber-attack on 16.08.2019. In the process, previously unknown third parties gained access to parts of our customer database. In this context, personal data of our customers were disclosed to the attackers against our will.
According to the information available to us so far, we must unfortunately assume that your account and the information contained therein was subject to the attack as well. We have already contacted the responsible public prosecutor's office and hope that the perpetrators can be identified quickly. We have also informed the responsible data protection authority in Ansbach (Bavaria) of the incident. We have also commissioned a specialist IT security company to investigate the attack and help us better protect our IT systems against similar attacks in the future.
For security reasons, we have reset your password and ask you to follow the instructions for re-assigning a password. We also recommend that you change your password not only in our online shop, but also wherever you have used it again.
IMPORTANT: Please keep the information contained in this email confidential. This reduces the potential for the hacker to be aware of our official communication, and gives affected customers a better opportunity to can take the necessary steps to inform their credit card providers.
If you have any questions, please do not hesitate to contact us under https://www.fanatec.com/contact.
Mr Jackermeier's plea for confidentiality, a full six days on from the breach, feels like it's more about protecting Fanatec's reputation than giving customers the best chance to safeguard their data. Something like closing stable doors after the horse has bolted.
The headline for any Fanatec customer is simple though: you'd better think about whatever information of yours this company has, and take steps to protect other accounts. I would particularly note the last bolded section of the email, which implies that payment details have been accessed. Kotaku UK's anonymous tipster told me they'd last had dealings with the company in 2017, so even if you ordered something years ago you could be at risk.
I have contacted Fanatec and Mr Jackermeier to ask exactly what customer data other than passwords has been compromised, and the extent of the breach. At the time of publication there has been no response: this article will be updated if that changes.
This is far from the first data breach in games, but companies should be transparent with customers. Trying to keep things like this low-key is doomed to failure and only builds consumer resentment: get it out there, hold your hands up, tell people what steps you're taking to make it right, and give them detailed information and links to help safeguard themselves.
Fanatec is also a victim here, but its approach leaves something to be desired. We don't know what customer data the hackers have, we don't know how many accounts are affected, and we don't know why the company was silent about this for six days after the attack. If someone ordered a wheel five years ago, for example, are they affected?
At the moment Mr Jackermeier's statement raises more questions than answers. You can read Kotaku's general guide to keeping your online accounts safe here. Meantime, if you've ever used Fanatec's services, maybe now's the time to give your bank a call and try out something like LastPass.