Is this how you allay customer anxiety — by drizzling information about your service’s security problems?
Valve’s Steam gaming service forums were hacked in early November, but the company didn’t admit as much until Nov. 10, four days after the hack occurred. They initially said the forums were offline for “maintenance.”
The admission note read in part: “We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked.” The company said it was still investigating, after which it went radio silent. The Steam forums came back on November 11, a day later.
Jump forward three months to now: Valve’s finally issued an information update, admitting the hack was in fact more serious than thought.
In this new update — delivered last Friday night, after the closing bell — Valve CEO Gabe Newell wrote that the company has still “found no evidence that the intruders took information from [the Steam] database,” but that it “recently … learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008,” and that the backup file contained “user names, email addresses, encrypted billing addresses and encrypted credit card information.” (The one upside: It reportedly didn’t include Steam passwords.)
Valve says it has yet to hear of user credit card numbers or billing addresses used illicitly, but advises users keep an eye on their accounts, as well as use “Steam Guard,” the company’s authentication/challenge mechanism for logging in a new computer.
While it’d be foolish to blame Valve for being hacked, it’s hard to imagine a company taking three months to determine that the “intruders” pilfered an extremely sensitive file (backup or otherwise). That’s a 90 day lag between the hack event and the point at which customers are being implicitly advised to take action, e.g. cancel and reissue any cards associated with Valve’s Steam service (I would, and will). Even Sony was more forthcoming (and sooner) about its far more serious PlayStation Network breach last April.
If companies want our trust, keeping us better apprised about data theft is essential. Saying nothing for three months, then admitting a breach was worse than thought (or, for that matter, taking a full three months just to figure that out), makes me less inclined to use such a service.