For those of you who haven’t been following things, (and you could be forgiven for having been busy on boxing day, much the way Valve could be forgiven) a technical hiccough has exposed private information of some steam customers.
This may not be 100% confirmed yet, but apparently valve pushed an update to its caching on its store pages that didn’t work as intended, and exposed other people’s emails, their usernames, their steam wallet balances, (think prepaid cash balance, although it can also be the proceeds from selling digital goods such as steam trading cards) and the last two digits of their credit cards. We don’t know the exact timeframe, but potentially everyone who accessed any steam store pages and saw anyone else’s info has had this information exposed. Fortunately, nobody had the ability to charge anyone else’s account during the time as far as I know.
This exposure occured for roughly an hour, after which Valve managed to get someone on-site and shut down external access to the problematic pages, until they could rectify the breach. (Store pages are now accessible with no adverse consequences as of my drafting of this post) This is a relatively impressive turnaround for a public holiday and is to be commended, not attacked. Only the most basic services should be using real staff on public holidays, and Steam is not a basic service.
As a former employee of an organisation that has struggled with both public perceptions and privacy breaches, I can tell you that there are some basic steps that need to be taken as soon as Valve can get people back into work:
- Firstly, own up publicly to what information was exposed, apologise to all customers, even those unaffected, and offer to allow people to close their accounts and have their personal information deleted. The first part of this is the basic necessity. You HAVE to apologise if you’ve screwed up, full stop. It also helps if no excuses are made until after the unreserved apology is delivered. But allowing people to express their distrust in you by leaving your service, and deleting their information if they do so, shows you really mean your apology and are accepting the consequences of your mistake.
- If possible, generate a list of customers whose accounts were accessed during the timeframe the breach occured, and warn all of them their privacy may have been breached by email. Valve should also recommend that they be aware of potential phishing attempts, take any necessary steps to ensure their credit card remains secure, and change their steam passwords, and any other passwords that match their steam passwords. While in the short term actively notifying people of the breach who haven’t learned of it might seem bad PR, in the medium and long term it means customers know that Valve is willing to be accountable when mistakes are made, and that they will place their customers needs ahead of their own PR.
- Valve should put ALL employees through privacy training immediately, so they are aware of the consequences of for instance accidentally disclosing an email address or a partial credit card number. This is both a practical (Valve will be under extra scrutiny now, and human security breaches will be much more serious) and a PR requirement.
- Valve should take immediate policy steps to ensure this same breach cannot occur again. For instance, they may want to institute a policy that no software patches or website changes that could impact security or privacy are to be pushed near holidays.
- In the medium term, Valve needs to upgrade its privacy security policies and systems. Valve serves some of its private information directly over insecure protocols- this needs to stop. If valve wants to offer Steam pages over the web, it should secure them if the web pages offer private information, or it should only serve account information through its client in secure packets, or on seperate, secured pages. (similar to how purchases are currently handled) The worst privacy breach that should be possible using secure software is that someone unintended views your account name. There are also some really basic information security steps that can be taken, such as:
- turning off auto-complete for any external addresses in all email clients,
- stocktaking access to private and/or confidential information and ensuring all access granted is either necessary or authorised, practical, and secure,
- disabling insecure methods of file-sharing, such as email attachments, without a second employee authorising them,
- implement quality-checking on any existing and new safeguards, at least in the short term.
- In the longer term, ensure customer data is secure from external access, hackers, and properly anonymised to internal employees.
Valve has a lot of work to do. A lot of this work is better done before any privacy issues occur, but they’re in for a lot of learning about why prevention is better than cure. I’m pretty sorry to all of the employees who weren’t responsible but are about to be affected.