Judge throws out Steam breach lawsuit over lack of "harm"

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.scmagazine.com/judge-throws-out-steam-breach-lawsuit-over-lack-of-harm/article/268995/

A U.S. District Court judge in Washington state has dismissed a
lawsuit against the owner of an online video game distribution network
because the plaintiffs were unable to prove that they were harmed by a
breach last year that exposed the personal information of up to 35
million people.

Led by Oliver Grigsby, the plaintiffs, who are users of a service
known as Steam, sought to recover damages as a result of a Nov. 6,
2011 breach -- one of the largest of the year -- in which hackers
accessed subscribers' credit and debit card information, billing
addresses and usernames and passwords.

The plaintiffs alleged that Bellevue, Wash.-based Valve, which owns
Steam, failed to adequately safeguard their  sensitive information.
They argued that they should be awarded damages for both the
possibility that fraud could occur as a result of the breach and also
to make good on service and subscription issues that arose after the
breach.

But federal Judge James Robart, sitting in Seattle, rejected both
arguments, according to court documents.

"...[F]ederal courts routinely dismiss actions in which the only
damages a plaintiff alleges are increased risk of identity theft and
money spent monitoring credit and attempting to prevent identity
theft,"  he wrote last week in his motion to dismiss. "In short, when
personal information is compromised due to a security breach, there is
no cognizable harm, absent actual fraud or identy theft."

He also denied allegations that the plaintiffs also suffered present
harm, which they contended included a loss of data and an interruption
of access to Steam's services. Robart ruled that the plaintiffs did
not exhibit they met the necessary threshold to win these claims,
saying they were were not specific enough.

"They say nothing about which services were interrupted, which
subscriptions or gaming networks they were unable to access, what data
they 'lost, how their data could have been 'lost' in this situation,
or how they may have lost money subscribing to Stream, which is free,"
Robart said.

An attorney for the plaintiffs did not immediately return a telephone
call seeking comment.

A teen hacker who uses the alias TehWongZ took credit for the breach a
few days after it happened, according to a tweet.

He was arrested in December for launching a distributed
denial-of-service attack against his school in the U.K. and defacing a
Manchester, U.K. credit union, according to a leaked FBI conference
call from earlier this year. He was the face behind CSLsec (Can't Stop
Laughing Security), a supposed three-member offshoot of LulzSec, the
official said.

"He's basically just doing all of this for attention and [he's] a bit
of an idiot," a Scotland Yard rep said on the call.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.