The admission updates a breach of the Steam database that was first announced by Valve in November. At that time, Valve founder Gabe Newell said that the company had no evidence “that encrypted credit card numbers or personally identifying information were taken by the intruders.” Steam has around 35 million customers.
Now, apparently, the company does have such evidence. "Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information", Newell said in statement.
Newell stressed that the company has no evidence that encrypted credit card numbers or billing addresses have been compromised.
Commenting on Newell’s announcement, Aydin Ucbasaran, UK sales director for SafeNet, said: “Valve have revealed that encrypted credit card data was stolen. The good news is that the credit card details were properly protected as required by PCI. But, that’s probably not good enough for rebuilding the reputation of the Steam service. Organizations need to go beyond simply complying with the basic PCI security requirements and ensure that they have systems in place that ensure the digital keys that protect that data are themselves doubly secure.”