Introduction
Today, the online gaming world woke to alarming news—personal data of 89 million Steam accounts have reportedly been exposed in a data breach. While early reports confirm this was not a direct breach of Steam itself, a third-party vendor within its supply chain appears to be the source. The compromised data is allegedly now available on the dark web for just $5,000.
This breach underscores a growing threat that organisations must take seriously: third-party vendor risk. In many high-profile data breaches, it’s not the primary company that is hacked, but a supplier or service provider that has access to personal data.
The Supply Chain: A Soft Underbelly for Threat Actors
Threat actors often target third-party vendors because they’re perceived as the weakest link. These suppliers may lack robust security practices or have outdated systems, making them attractive targets. Once inside, cybercriminals can harvest vast quantities of personal data—without having to breach the main platform.
In the case of Steam, a vendor’s vulnerability has potentially jeopardised millions of loyal users. For data controllers and processors alike, this is a harsh reminder: your data protection is only as strong as the weakest link in your vendor ecosystem.
Vendor Due Diligence: An Ongoing Obligation
It’s not enough to carry out a vendor assessment at the point of onboarding. Due diligence must be treated as an ongoing process. Global data protection regulations—from GDPR to India’s DPDP Act—require data controllers to ensure that their processors (and sub-processors) meet legal and security obligations.
A robust third-party management programme should include:
-
Initial due diligence checks before contract signing
-
Annual assessments of processors and sub-processors
-
Review of security certifications and data handling practices
-
Vendor questionnaires updated annually
-
Detailed documentation of risk-based decisions
Where the risk level is high, data controllers should demand a Data Protection Impact Assessment (DPIA) or conduct an onsite audit.
Contracts: More Than Just Legal Formalities
Contracts with processors and sub-processors are your frontline defence in the event of a breach. But are your current agreements up to scratch?
Controllers must ensure contracts include all mandatory clauses under applicable data privacy laws. These clauses should clearly define roles, responsibilities, data access controls, breach notification timelines, and indemnification terms.
In today’s AI-driven world, it’s also critical to include AI-specific clauses in both the master service agreements and data processing agreements. If your vendor uses AI to process personal data, your contract should cover algorithmic decision-making, bias mitigation, and transparency obligations.
2FA: Convenience or Catastrophe?
While third-party due diligence is critical, another pressing issue has emerged from this breach: the lack of two-factor authentication (2FA) in online gaming platforms.
Many publishers still resist implementing 2FA, fearing it might deter users by adding friction to the login process. But what about the friction caused by stolen accounts, hijacked identities, and the permanent loss of in-game currency and digital assets?
Gamers spend years building up their accounts, reputations, and virtual economies. Without 2FA, these accounts become easy targets for cybercriminals once credentials are leaked. The resulting damage to brand trust, user retention, and support costs can be devastating.
Even where 2FA is used, the method matters. SMS-based 2FA is particularly vulnerable to SIM swapping, phishing, and interception attacks. Attackers can exploit mobile network weaknesses to gain access to SMS codes, effectively bypassing this second layer of protection. For platforms serious about security, app-based authenticators or hardware tokens offer a much more secure alternative.
Online game publishers must stop viewing strong authentication as a user experience obstacle. Instead, they should see it as a necessary safeguard to protect loyal users from the growing wave of credential-based attacks.
No Silver Bullet—but Plenty of Strategy
There is no single solution to prevent third-party breaches. However, organisations can significantly reduce their risk by:
-
Implementing multi-layered vendor due diligence processes
-
Including comprehensive legal protections in contracts
-
Conducting annual compliance reviews and audits
-
Enforcing 2FA across all user accounts
-
Ensuring AI usage is governed by clear contractual and operational guidelines
The cost of getting it wrong is no longer theoretical. It’s here, and it’s hitting companies where it hurts most—their customers and their reputations.
Conclusion: Don’t Gamble with Your Data
The Steam-related breach is a wake-up call. Whether you’re a gaming platform, a fintech firm, or a healthcare provider, your brand and customer data are only as secure as your most vulnerable vendor.
Formiti helps organisations stay ahead of these risks. Our Outsourced Data Protection Officer (DPO) Service provides expert guidance and proactive governance across your data ecosystem. In addition, our RapidRedline Contract Review Service ensures your vendor agreements meet the highest standards of data protection compliance—fast.
With Formiti, you gain more than compliance. You gain peace of mind, knowing your data protection strategy is future-ready.