Privacy Ref Blog

All Steamed Up

Earlier this month, Valve experienced an issue with data caching and what some call a data breach.  Valve is a gaming company famous for many titles, but also for their virtual storefront, Steam.  The short story is that Valve’s virtual storefront, known as Steam, had a glitch that allowed someone logged in to potentially see another user’s personal information.  The personal information included names, digital identities, emails, and possibly credit card information.  For a more complete summary, check out this video.

Some people are saying that this is not a data breach.  In fact, a lot of people on Twitter were on both sides of the argument, it was or was not a breach.  So I thought this would be a good time to explain when a data breach occurs and also find out why so little has been said by Valve.

Was This a Breach?

If you go online and look up “definition of data breach,” you get this explanation from

                “data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.”

That is pretty straight forward, but now we have to figure out what Personally Identifiable Information (PII) is.  The International Association of Privacy Professionals defines PII, otherwise referred to as Personal Information, as follows:

“Personal information can include name, age, gender, street address, email address, social security number (national identity number) and/or telephone number. This information can exist in many forms (electronic or hard document as two examples) and may be managed or stored according to one or more general classifications.”  (Information Privacy Official Reference for the Certified Information Privacy Professional, pg 7)

Legally, the definition of PII varies depending on the jurisdiction.  Steam is one of the biggest virtual storefronts for videogames and other software.  It is used by individuals around the globe.  Some things that are generally considered PII were exposed by Valve; full names, credit card numbers, and digital identities (like a username) are all considered PII in most jurisdictions.  Now, that is not to say every jurisdiction includes those items, but most do, and that means a breach, as legally defined, occurred in those areas.  This is probably why Valve has been so quiet on the matter, only saying they fixed the root cause.

Have a Better Game Plan

The first step in dealing with a data breach is to determine whether it actually happened.  Then you are supposed to close off the source of the breach or “stop the bleeding”.  After that communication is the key to successful breach handling; communication with customers, employees, law enforcement, regulators, company stakeholders, and the media to name a few.

Valve and their privacy team are most likely (hopefully?) looking at what they need to do next, determining what parties need to be contacted, if any.  The issue here is that they have been quiet on the matter.  A lack of information can set your customers (and law enforcement or regulators) on edge, especially when the customers are a technologically involved group like gamers.  Gamers are much more prone to checking online news outlets already, searching for game reviews or previews, and these same sites will carry news about the Steam situation.

Overall, this is still a very recent event.  Taking place right before Christmas, there is still some time to come before this case is closed completely.  If anything, the online reactions to this breach when compared to other recent breaches does illustrate how being open and honest can build trust with customers or how that trust may be tainted.

Privacy is about trust, and without it, your customers may become anxious about allowing you to handle their information.  Having a strong breach plan, knowing what information to share, and where and when to share it can keep your company on top in the event of a privacy event.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on January 4, 2016 by Ben Siegel

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

June 4, 2018

My First Taste of GDPR
It is no secret that I am, for lack of a better term, a nerd. I am also a Privacy Consultant here at Privacy Ref, so I usually pride myself on knowing about privacy goings on in the world. However, for the first time I was bamboozled by changes to a privacy policy. Continue reading this post...

April 30, 2018

Defining GDPR for Non-Privacy People
During the IAPP’s most recent Privacy Summit, I was approached with an interesting question. “I am a privacy professional and I know why GDPR is important. I know about the fines and requirements for compliance, but few others at my company do. How do I explain GDPR to my colleagues effectively?” I responded with a quick and simple answer that probably did not cover all the bases, so I wanted to write up some deeper thoughts on the subject. Continue reading this post...

Other Recent Posts