Gamers are expressing outrage after Cloud Imperium Games (CIG), the British studio behind the long-in-development space simulation game Star Citizen, revealed a data breach more than six weeks after it occurred. The company disclosed the incident via a minimally-prominent “Service Alert” popup on its websites, prompting criticism for a lack of transparency and a delayed notification.
The breach, which CIG states took place on January 21st, involved “unauthorised access to some backup systems, including limited access to users’ personal data.” According to the company’s statement, the compromised data included “basic account details (i.e. Metadata, contact details, username, date of birth and name).” CIG asserts that no financial or payment information, passwords, or data modification occurred during the incident.
However, security experts warn that even seemingly “basic” information can be exploited. Contact details, names, and dates of birth are sufficient to launch targeted phishing attacks, and when combined with data from other breaches, can create detailed profiles of individuals.
The delayed and understated nature of the announcement has drawn sharp criticism from the Star Citizen community. One reader contacted The Register, describing CIG’s approach as akin to “publishing a notice in a locked filing cabinet stuck in a disused lavatory.” Comments on the game’s official forums echoed this sentiment, with players questioning the lack of proactive communication and the six-week delay in disclosure. “WHERE IS THE EMAIL and FRONT PAGE NOTICE?” one user posted in a forum thread dedicated to the breach.
CIG maintains it “acted quickly to contain the activity and block further access to this data and CIG systems, and we have refreshed security settings to ensure that there is no threat to our games or our users.” The company also stated it is “closely monitoring the situation and our systems” and assessing whether any data has been publicly released, adding that, at this stage, there are “no indications of any such activity.”
The company, which relies heavily on crowdfunding for the development of Star Citizen, has not disclosed the number of users affected by the breach. Star Citizen boasts a community numbering in the millions, but the scope of the compromised data remains unclear.
The Register has reached out to Cloud Imperium Games for further clarification and a response to the criticism regarding the handling of the data breach. As of this writing, the company has not provided a substantive response.
