Says Podhradsky: "Microsoft does a great job of protecting their proprietary information. But they don't do a great job of protecting the user's data. A lot of them already know how to do all this. Anyone can freely download a lot of this software, essentially pick up a discarded game console, and have someone's identity."
Microsoft says it is investigating the case: "We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims. Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously."
If Microsoft is slow to come with a fix, the college students say using Darik's Boot and Nuke (DBAN) will protect you.