Back to all blog posts

All Steamed Up

Earlier this month, Valve experienced an issue with data caching and what some call a data breach.  Valve is a gaming company famous for many titles, but also for their virtual storefront, Steam.  The short story is that Valve’s virtual storefront, known as Steam, had a glitch that allowed someone logged in to potentially see another user’s personal information.  The personal information included names, digital identities, emails, and possibly credit card information.  For a more complete summary, check out this video.

Some people are saying that this is not a data breach.  In fact, a lot of people on Twitter were on both sides of the argument, it was or was not a breach.  So I thought this would be a good time to explain when a data breach occurs and also find out why so little has been said by Valve.

Was This a Breach?

If you go online and look up “definition of data breach,” you get this explanation from

                “data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.”

That is pretty straight forward, but now we have to figure out what Personally Identifiable Information (PII) is.  The International Association of Privacy Professionals defines PII, otherwise referred to as Personal Information, as follows:

“Personal information can include name, age, gender, street address, email address, social security number (national identity number) and/or telephone number. This information can exist in many forms (electronic or hard document as two examples) and may be managed or stored according to one or more general classifications.”  (Information Privacy Official Reference for the Certified Information Privacy Professional, pg 7)

Legally, the definition of PII varies depending on the jurisdiction.  Steam is one of the biggest virtual storefronts for videogames and other software.  It is used by individuals around the globe.  Some things that are generally considered PII were exposed by Valve; full names, credit card numbers, and digital identities (like a username) are all considered PII in most jurisdictions.  Now, that is not to say every jurisdiction includes those items, but most do, and that means a breach, as legally defined, occurred in those areas.  This is probably why Valve has been so quiet on the matter, only saying they fixed the root cause.

Have a Better Game Plan

The first step in dealing with a data breach is to determine whether it actually happened.  Then you are supposed to close off the source of the breach or “stop the bleeding”.  After that communication is the key to successful breach handling; communication with customers, employees, law enforcement, regulators, company stakeholders, and the media to name a few.

Valve and their privacy team are most likely (hopefully?) looking at what they need to do next, determining what parties need to be contacted, if any.  The issue here is that they have been quiet on the matter.  A lack of information can set your customers (and law enforcement or regulators) on edge, especially when the customers are a technologically involved group like gamers.  Gamers are much more prone to checking online news outlets already, searching for game reviews or previews, and these same sites will carry news about the Steam situation.

Overall, this is still a very recent event.  Taking place right before Christmas, there is still some time to come before this case is closed completely.  If anything, the online reactions to this breach when compared to other recent breaches does illustrate how being open and honest can build trust with customers or how that trust may be tainted.

Privacy is about trust, and without it, your customers may become anxious about allowing you to handle their information.  Having a strong breach plan, knowing what information to share, and where and when to share it can keep your company on top in the event of a privacy event.