Steam goes public on data breach – but will it delay the launch of Skyrim?

Steam, the online empire of computer game behemoth Valve Corporation, has issued details of the hack it suffered last weekend:

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

Ouch. As an Australian journalist just asked me, “Why does this keep happening on such a large scale?”

I took that as a rhetorical question. Online merchants keep violating our faith and trust in their security; we keep letting them do it. We want what they are offering so much, or care about security sufficiently little, that we aren’t voting with our wallets when they get owned. Simple as that.

Indeed, one of the FAQs on gaming site Kotaku asks:

Who cares about my credit cards and passwords. Will Skyrim still unlock tonight?

Skyrim is the fifth game in Bethesda Software’s popular Elder Scrolls series. You could download it in advance, but it’s locked until the first minute after midnight on 11 November 2011.

To unlock and play it you need to use Steam’s online services. So if Steam’s game servers had been taken offline as a breach precaution, Skyrim’s launch would have been delayed.

Good news. A gamer chum from Sydney reports that he unlocked it fine, just moments after midnight New South Wales time (UTC+11).

(He successfully played it, in his words, “just for a short while, to check that it worked OK.” In other words, until 3am.)

OK, so you can play Skyrim after all. But are there other things you can do in the light of Steam’s advisory?

There are, and here are some suggestions:

* Change your Steam password, just in case. If you were using a weak password before, take this opportunity to choose a decent one.

* Keep an eye on your credit card statement and report any unexpected transactions.

* Consider not storing your credit card data on Steam’s servers. You don’t have to. You can choose to enter it every time you need it instead.

* Consider enabling Steam Guard. If you do, Steam will email you every time you (or someone else) logs in from someone else’s computer.

* Send an email to Steam asking why they encrypted credit card data and passwords, but apparently not the rest of its users’ personally identifiable information.

In fact, send an email to every company with whom you do business online, and ask them how much of the data they hold about you is encrypted.

The PCI (payment card industry) compliance rules say they have to encrypt credit card data, so they probably do.

But ask what they’re doing with the rest of the stuff they hold about you.

In my experience, many companies which are PCI compliant have treated that compliance merely as a box to tick. They have taken the whole issue of PCI compliance as a security destination to be reached, rather than an excellent starting map for their security journey.

That’s a pity, and a wasted opportunity to make things better for everyone.

Community pressure has persuaded many businesses to improve their password-handling code, adding salting-and-hashing where they ignored it before.

So let’s make a noise about the use of encryption in general, and see if we can’t improve things out there in the ecommerce cloud!