Like a lot of people in the gaming world, I got an interesting email from Gabe Newell last week.
The Steam hacking incident of last November, he said, was worse than they initially thought it was.
And while there still was no direct evidence that credit card
information had been accessed, a backup file containing that information
(albeit encrypted) was obtained by the person or persons who had broken
into the system.
It was disquieting information delivered in an oddly comforting manner –
and while the service has 40 million user accounts under its control,
there wasn't a lot of outrage in the forums and throughout the online
world. It was a curious juxtaposition to what Sony had faced just a year
prior.
During that hack, of course, the level of hostility aimed at Sony was
staggering. Players and the media hit the company for its lack of
transparency and seemingly unapologetic attitude toward the attack.
Large scale game hacking was, after all, a brave new world – and one
that no one was really prepared for (something that seems absurd in
retrospect).
Was Valve's reaction to its hacking problem truly better than Sony's? Or were there other factors at play?
The answer, I think, is both. It's hard to find anyone who will defend
Sony's handling of the hacking incident – including inside the office of
that company. But Sony's missteps and stumbles helped other developers
and publisher learn what to avoid. And no one learned better than Valve.
When the Steam database was breached, Valve's Gabe Newell sent an IM to
users alerting them to the incident, explaining the situation (and what
the company was doing) and quickly apologized. That note came four days
after hackers hit the company's forums – the first sign of trouble.
Sony, meanwhile, waited six days before giving any real visibility into
the severity of the situation – though it did acknowledge the outage and
let people know it was looking into things almost immediately. That's
not a significantly longer time period, but the company was quickly put
on the defensive.
The first formal apology from a Sony official didn't come for another
five days, when Kaz Hirai held a press conference in Japan.
Like Valve, all of the bad news didn't hit at once. It consecutively got
worse. Just as users were absorbing the PSN and Qriocity music service
hits, it was discovered that Sony Online Entertainment was also hit. And
then the copycat attacks started coming, this time at Sony Pictures. It
was a perfect storm of bad news brought on by hackers looking to latch
on to the media blitz.
Valve, hopefully, has reached the end of its road as far as bad news
goes. But the fact that it took three months to discover the extent of
the breach and notify users was interesting, especially for the lack of
reaction.
Valve, of course, encountered its hacking problems with a few
advantages. Sony, as a multinational, multi-billion dollar company, had
to overcome a reputation of a big, faceless empire. Valve has always
maintained a relationship with the community – and ensured its place as a
gamer favorite when it reached out to them for help when the Half-Life 2
source code was stolen. Newell has also maintained a direct
relationship with is customers – emailing back and forth with them
regularly.
This goodwill undoubtedly helped the company when dealing with the
fallout of this incident – as did studying the moves of those hit by
hackers before it. While Steam's messaging was certainly better worded
than Sony's, its timeliness was roughly the same.
But ultimately, I think gamers have gotten over the hysteria of hacker
attacks. Rather than obsessing over identity theft or stolen credit card
numbers, they now know to put an alert on their credit reports and that
they won't be liable for any charges made if, in fact, those card
numbers are stolen.
What was so unthinkable a year ago is now commonplace – an annoyance
that's worth keeping an eye on, but not worth panicking over.
But how a company handles that is just as important. And you can bet
your bottom dollar that EA, Microsoft and any other company that handles
credit card data from customers, is taking note on how Valve has
successfully negotiated these waters.