Breach, Data Security

Judge throws out Steam breach lawsuit over lack of “harm”


A U.S. District Court judge in Washington state has dismissed a lawsuit against the owner of an online video game distribution network because the plaintiffs were unable to prove that they were harmed by a breach last year that exposed the personal information of up to 35 million people.

Led by Oliver Grigsby, the plaintiffs, who are users of a service known as Steam, sought to recover damages as a result of a Nov. 6, 2011 breach -- one of the largest of the year -- in which hackers accessed subscribers' credit and debit card information, billing addresses and usernames and passwords.

The plaintiffs alleged that Bellevue, Wash.-based Valve, which owns Steam, failed to adequately safeguard their  sensitive information. They argued that they should be awarded damages for both the possibility that fraud could occur as a result of the breach and also to make good on service and subscription issues that arose after the breach.

But federal Judge James Robart, sitting in Seattle, rejected both arguments, according to court documents.

"...[F]ederal courts routinely dismiss actions in which the only damages a plaintiff alleges are increased risk of identity theft and money spent monitoring credit and attempting to prevent identity theft,"  he wrote last week in his motion to dismiss. "In short, when personal information is compromised due to a security breach, there is no cognizable harm, absent actual fraud or identy theft."

He also denied allegations that the plaintiffs also suffered present harm, which they contended included a loss of data and an interruption of access to Steam's services. Robart ruled that the plaintiffs did not exhibit they met the necessary threshold to win these claims, saying they were were not specific enough.

"They say nothing about which services were interrupted, which subscriptions or gaming networks they were unable to access, what data they 'lost, how their data could have been 'lost' in this situation, or how they may have lost money subscribing to Stream, which is free," Robart said.

An attorney for the plaintiffs did not immediately return a telephone call seeking comment.

A teen hacker who uses the alias TehWongZ took credit for the breach a few days after it happened, according to a tweet.

He was arrested in December for launching a distributed denial-of-service attack against his school in the U.K. and defacing a Manchester, U.K. credit union, according to a leaked FBI conference call from earlier this year. He was the face behind CSLsec (Can't Stop Laughing Security), a supposed three-member offshoot of LulzSec, the official said.

"He's basically just doing all of this for attention and [he's] a bit of an idiot," a Scotland Yard rep said on the call.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.