Privacy Ref Blog

Fallout from a Fallout

It is often that a data breach reveals other issues that a business is experiencing, but it isn’t every day I see the opposite. When I heard about what was happening at Bethesda Softworks and their online game, I was interested immediately.

The background on this is simple enough. Bethesda is a well-known video game maker with a number of well-known titles. Fallout 76 was the newest title in one of their series, but unlike previous titles, was an online game. Many were excited for this title and there special editions of this game offered to those willing to spend extra. Upon the launch of a game with a large amount of bugs and glitches, a number of issues took place.

First, the collector’s editions came with a few items, most notably a canvas bag. Many were disappointed that the bag was not actually made of canvas and instead more of a synthetic material. People began demanding refunds. This is where the issues got worse. A site was set up to process the refund requests, however an issue happened when providing a receipt to these customers. Individuals were getting the information of other customers, including names, emails, and partial credit card information. But it got worse.

It turned out that individuals were able to actually access and edit existing tickets of any person that had submitted one. That means if someone really wanted to, they could close out every ticket and “resolve” them. There were no bad actors that were found to do this, but there was no hacking or other illicit activity. This all happened because of hasty setup and lack of review by Bethesda.

The real moral here is that handling a breach, or any incident, is just as important as preventing such a scenario. Bethesda had an incident with the initial response and requests for refunds. It was bad, but had it been handled well, it would have been a footnote in the otherwise poor launch of their game. However, the mishandling of the refunds, and by extension the inadvertent release of their customers data made it that much worse. A good response may net little, but a poor response can make things exponentially worse.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on May 16, 2019 by Ben Siegel

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


May 31, 2019

We are now offering Privacy Professional Training from the IAPP at our Houston and Nashua offices in addition our Delray Beach location.

Latest Blog Posts

June 13, 2019

Fifty States, Fifty Laws

The big news lately is that individual states are proposing their own privacy laws. California has the California Consumer Protection Act and now New York and Maine have also proposed laws. There has been discussion of a federal law, however it seems unlikely that any kind of landmark legislation on privacy passes through to be signed. How is a business to be ready for up to 50 different laws?

Continue reading this post...

June 12, 2019

Privacy Comes at a Price
At Apple’s World Wide Developers Conference last week, the message was all about Privacy. Apple has been more privacy-minded than other tech companies – that’s not news and it’s why I have an iPhone. They’ve introduced some interesting privacy features, such as showing location tracking, which I think is pretty cool. I don’t leave my location setting on, rather turn it on when I need directions and then back off. It’s tedious, but I’m not confident that when I’ve turned off location services, apps aren’t tracking me even though I said “no”. Sadly, I don’t think no means no on the Internet. So, I’ll be able to see if I’m right or wrong. Continue reading this post...

Other Recent Posts