Privacy Ref Blog

All Steamed Up

Earlier this month, Valve experienced an issue with data caching and what some call a data breach.  Valve is a gaming company famous for many titles, but also for their virtual storefront, Steam.  The short story is that Valve’s virtual storefront, known as Steam, had a glitch that allowed someone logged in to potentially see another user’s personal information.  The personal information included names, digital identities, emails, and possibly credit card information.  For a more complete summary, check out this video.

Some people are saying that this is not a data breach.  In fact, a lot of people on Twitter were on both sides of the argument, it was or was not a breach.  So I thought this would be a good time to explain when a data breach occurs and also find out why so little has been said by Valve.

Was This a Breach?

If you go online and look up “definition of data breach,” you get this explanation from

                “data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.”

That is pretty straight forward, but now we have to figure out what Personally Identifiable Information (PII) is.  The International Association of Privacy Professionals defines PII, otherwise referred to as Personal Information, as follows:

“Personal information can include name, age, gender, street address, email address, social security number (national identity number) and/or telephone number. This information can exist in many forms (electronic or hard document as two examples) and may be managed or stored according to one or more general classifications.”  (Information Privacy Official Reference for the Certified Information Privacy Professional, pg 7)

Legally, the definition of PII varies depending on the jurisdiction.  Steam is one of the biggest virtual storefronts for videogames and other software.  It is used by individuals around the globe.  Some things that are generally considered PII were exposed by Valve; full names, credit card numbers, and digital identities (like a username) are all considered PII in most jurisdictions.  Now, that is not to say every jurisdiction includes those items, but most do, and that means a breach, as legally defined, occurred in those areas.  This is probably why Valve has been so quiet on the matter, only saying they fixed the root cause.

Have a Better Game Plan

The first step in dealing with a data breach is to determine whether it actually happened.  Then you are supposed to close off the source of the breach or “stop the bleeding”.  After that communication is the key to successful breach handling; communication with customers, employees, law enforcement, regulators, company stakeholders, and the media to name a few.

Valve and their privacy team are most likely (hopefully?) looking at what they need to do next, determining what parties need to be contacted, if any.  The issue here is that they have been quiet on the matter.  A lack of information can set your customers (and law enforcement or regulators) on edge, especially when the customers are a technologically involved group like gamers.  Gamers are much more prone to checking online news outlets already, searching for game reviews or previews, and these same sites will carry news about the Steam situation.

Overall, this is still a very recent event.  Taking place right before Christmas, there is still some time to come before this case is closed completely.  If anything, the online reactions to this breach when compared to other recent breaches does illustrate how being open and honest can build trust with customers or how that trust may be tainted.

Privacy is about trust, and without it, your customers may become anxious about allowing you to handle their information.  Having a strong breach plan, knowing what information to share, and where and when to share it can keep your company on top in the event of a privacy event.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on January 4, 2016 by Ben Siegel

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


February 8, 2017

New On-Line Class Offering
Learn more about privacy program fundamentals with Bob Siegel and Privacy Ref. Find out more about this offering on our On-Line Classes Page.

Latest Blog Posts

April 12, 2017

Planning for Summit 2017
With the IAPP Privacy Summit less than a month away, it is time to start planning what you will be doing there.  If you are going to the Summit this year, there are a large number of sessions, speakers, and exhibitors for you to check out and learn from.  This stands alone from the thousands of attendees, all of whom have some level of privacy expertise and experience that you can learn from. Continue reading this post...

March 23, 2017

It’s just a leak
In recent weeks, leaks have been at the forefront of news.  This is mostly in a political spectrum, but it illustrates the importance of managing how information flows through an organization.  There have been examples other than those coming from the White House though. Being non-political in nature, they have different consequences and lessons to be learned. Continue reading this post...

Other Recent Posts