Valve Corporation, which runs the Steam gaming universe, has finally apologised for and released details of its major personal data breach on 25 December 2015. A long and detailed statement is quoted on databreaches.net.
This was a very large leak of personal data, which Valve believes disclosed details of about 34,000 users of Steam services. The information which leaked included plenty of sensitive data, such as billing address, the last four digits of their phone number, purchase history, and email address. No credit card details were leaked, apart from the last two digits of the card number, nor were account passwords disclosed.
Valve says that it is contacting all those individuals who may be affected by this.
My previous recommendation to change your Steam password, while wise at the time, will do nothing to improve your account security, if affected: the leak happened, it was stopped, and there is nothing that can be done to reverse or fix it.
According to Valve, what happened was that Steam came under a denial-of-service attack, as is common. As a result of that attack, traffic to the Steam services increased twenty-fold above what was already a busy time. Part of Steam’s normal response to such attacks is to change the rules used for caching, so as to maintain its service as well as possible during the attack. This is normally carried out by a business partner, which manages Steam’s caching.
On this occasion, an incorrect caching configuration was deployed, which for a period of about 90 minutes served incorrect cached pages to some users. Those pages included the account pages of another user, if the Steam user happened to try to access their own account during this period.
Only when Valve became aware of this error did it shut down the Steam service, and the fault was then rectified before the service was restored.
Despite assurances at the time that this was not the result of an attack on the Steam service, it is now clear that was not entirely correct: had the DOS attack not been taking place, no change in caching would have been made.
My previous comments about the single point of failure are therefore vindicated: any public service on the Internet which is capable of releasing such large amounts of personal data when a single misconfiguration occurs, must be questioned. If one switch can release such data, the design of the system does not appear fit for the purpose of protecting the privacy of the information which it contains.
I do not know whether US users of Steam have any course of action other than civil legal claim.
Unlike in the Ashley Madison case, Valve Corporation does operate a European subsidiary, which is based in Luxembourg. Under EU data protection law, if the personal data of any EU citizens were leaked in this incident – which appears almost certain – then Valve’s Luxembourg subsidiary should be legally obliged to report the incident as a matter of urgency to the data protection authority in Luxembourg, the CNPD.
If you are an EU citizen whose personal data were leaked by Valve on Christmas day, you should contact CNPD in Luxembourg, or your own state data protection authority (in the UK, through the ICO), and ask them whether this major data breach has been reported and is being investigated. Unless, of course, you are happy for Steam to leak your personal data whenever someone happens to misconfigure its caching.