Gamers are ready to unleash their mightiest virtual weapons and point them at British games studio Cloud Imperium, after it sat on news of a data breach and then announced it without fanfare.
Readers have contacted The Register to point out that the company’s (CIG’s) sites have, in recent hours, included a meek popup “Service Alert” that advises “We are aware of an IT incident that impacts some of our users” and offers a link to this page that reveals the incident took place on January 21st when the company says it was “targeted by a systematic and sophisticated attack, resulting in unauthorised access to some backup systems, including limited access to users’ personal data.”
That went down like a cold bucket of sick to users
One of the readers who contacted The Register about the incident described the company’s tactics as “Notice duly published in a locked filing cabinet stuck in a disused lavatory.”
CIG claims it “acted quickly to contain the activity and block further access to this data and CIG systems, and we have refreshed security settings to ensure that there is no threat to our games or our users.”
Yet the next sentence of the statement says the company does not “consider the incident poses a risk to the safety of our users” because the data accessed “relates only to basic account details (i.e. metadata, contact details, username, date of birth, and name). No financial or payment information was stored in the affected systems and was not accessible. No passwords were impacted, and the access was read-only. No data-injection or modification occurred.”
That’s an optimistic response because contact details, names and dates of birth are all that’s needed to craft a convincing phishing campaign. Further, the vast quantity of stolen data available online means crooks can take info they swiped from CIG, add it to other troves, and build up more detailed pictures of individuals they might wish to target.
“We are closely monitoring the situation and our systems to ensure that no further incidents occur,” the statement adds. “We are also taking steps to assess and detect whether any data that was accessed is released publicly. At this stage, there are no indications of any such activity.”
The company concludes it is “sharing this update in the interests of transparency. However, we do not anticipate that this incident will have any impact on our users.”
Another tipster criticized CIG’s stance.
“Details compromised –but users expected not to worry because that’s ‘Basic’ information according to CIG/RSI. Yes, that went down like a cold bucket of sick to users.”
Commentors in the game’s forums are similarly unimpressed.
“WHERE IS THE EMAIL and FRONT PAGE NOTICE?” thunders the first comment in a thread on the matter.
“What upsets me, is the lack of communication, and after a !month!, you get a basically hidden message, that something happened,” wrote another player. Plenty of others have decided CIG has breached one law or another, and expect action.
CIG’s flagship product is a multiplayer game called “Star Citizen” that the outfit has worked on for years, fueled by crowdfunded contributions. The company says its community numbers in the millions, but hasn’t revealed how many were impacted by this incident.
The Register has asked the company to clarify the matter and will update this story if we receive a substantive response. ®