I've read that, and it still doesn't answer my questions. a Singular poorly worded email, is that all your going to do?
are you going to comply with California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a) as required by law?
Why is this NOT on the front page?
why is the title of this thread so misleading? and it HAS been stated at least once in the thread that someone thought it was for routine issues, not the result of a hacking.
These are things we should have answers for, and you should be doing. bad things can happen to folks because of this, and to be honest, your treating it like its a ho hum event, at least to this customer.
You're asking legal questions that Brandon is neither qualified to answer nor should he. Keep in mind, he is not in the company legal department. What he can do, and probably has done, is forward your request to the legal counsel and they can determine whether a response to the user base is warranted in the fashion you're requesting.
I'm not saying the customers don't deserve answers by any means. I am, however, saying don't shoot the messenger.
Your right you can't defend the indefensible, BranFlakes thanks for telling us, better late then never
Brandon may very well be the reason why some people remain loyal...
There are many, many here that know him IRL. Many that knew him before he was community manager here. And many that know him from "other places." His extraordinary virtues bleed well into his performance! I find it amazing that he is willing to volunteer his integrity to help clot PWEs hemorrhaging credibility.
Ok lets see if i understand this........i just tried to sign into STO and it says password and username invalid, so i have to do the whole forget password thing...........so this means my account was one of those compromised a years and a half ago by a hack...........is this what Cryptic are saying??
Or are they saying some passwords have been reset due to maintenance and my account was not subject to any type of hack??
You're asking legal questions that Brandon is neither qualified to answer nor should he. Keep in mind, he is not in the company legal department. What he can do, and probably has done, is forward your request to the legal counsel and they can determine whether a response to the user base is warranted in the fashion you're requesting.
I'm not saying the customers don't deserve answers by any means. I am, however, saying don't shoot the messenger.
He doesn't need to be a legal rep to know if they are or are not going to comply with the law. It isn't optional for them. its a REQUIREMENT. All he has to do is ask them, hey have we done this? if they answer yes, then state as such. if they haven't then he can give them the "look" and get that going.
Telling us they've complied with the law, is a good thing, not telling us, leads to speculation, which they can't afford. As you well know they have blundered several times recently, but this one, has some serious potential to cost them dearly.
A quick look through the thread has revealed numerous folks pulling all credit information from them, meaning they're losing the ability for "easy" sales. Some folks will not ever trust them again due to this.
me, I'm effected, and I'm not happy, I've got to protect my identity for safety reasons. Some folks out there would love to harm me simply due to my job. My knowing they're complying with the law, is important, because it will allow me to do things if I need to on my end.
this a total joke I want this resolved before duty event how this batch of incompotence was allowed to happen is beyond me I should be allowed in game but because the cowards that they are they refuse to addres the reason of I know need to merge my account with PWE so whatg gives
why was I not given proper notification you owe me that
there is an event tomorrow right which I am screwed on because of BS i can not get in whay is this
how is this fair
I have spent alot of time and money to have you play games with my account not funny
Passwords, certainly, change those. But, only partial CC information would have been obtained. They are and were required by US law to obscure most of the number - and have. If you want to change it, go ahead. The likelyhood, however, that it was exploited is significantly lower than the likelyhood your password was.
If your information was to have been exploited, it almost certainly would have been before today as it was acquired 16 months ago. Vigilance is one thing. Rampant paranoia is another. Be mindful of the line.
I know this - and frankly, my previous posts outlined these very facts.
He doesn't need to be a legal rep to know if they are or are not going to comply with the law..
But, it also is not his place to speak for the Cryptic legal department. He's the community manager for one of Cryptic's online games; and he's informed the community of the incident; and given the steps required for affected users to reset their passwords and regain access to their locked ac****s. His responsability ends there.
The fact that Cryptic put put a press release on the Cryptic company site shows they are not covering this event up; but that said, if they don't comply with the federal laws of the U.S., and/or the laws of the state they are incorporated in; then they are indeed subject to the fines and penalties associated with non-compliance.
But that doesn' necessarily mean you as a customer are entitled to know if/when/how they will comply (were you a shareholder things would be different); and if you feel they are not doing something to your satisfaction, you, as a customer are free to sever all ties, and stop doing any nfuture business with Cryptic.
I've read that, and it still doesn't answer my questions. a Singular poorly worded email, is that all your going to do?
are you going to comply with California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a) as required by law?
Why is this NOT on the front page?
why is the title of this thread so misleading? and it HAS been stated at least once in the thread that someone thought it was for routine issues, not the result of a hacking.
These are things we should have answers for, and you should be doing. bad things can happen to folks because of this, and to be honest, your treating it like its a ho hum event, at least to this customer.
IANAL ("I Am Not A Lawyer"), but it appears that the primary difference between those two civil codes is that one applies to an agency and the other to a person or business. I do not believe Cryptic is considered an agency but regardless both codes say the same thing.
As far as I can tell, Cryptic has met all the requirements of California Civ. Code s. 1798.82(a) and is not in violation in anyway I can see.
There is no legal requirement that I can see there to advertise the breach on the front page of a website. There is no legal requirement to have a thread title be labeled a certain way. Since we did not input our SSN, CA driver's license number, or CA ID card number into Cryptic's site they do not need to provide the numbers of credit reporting agencies.
Cryptic definitely dun goofed.. But they are not doing anything illegal that I can see.
IANAL, but it appears that the primary difference between those two civil codes is that one applies to an agency and the other to a person or business. I do not believe Cryptic is considered an agency but regardless both codes say the same thing.
As far as I can tell, Cryptic has met all the requirements of California Civ. Code s. 1798.82(a) and is not in violation in anyway I can see.
There is no legal requirement that I can see there to advertise the breach on the front page of a website. There is no legal requirement to have a thread title be labeled a certain way. Since we did not input our SSN, CA driver's license number, or CA ID card number into Cryptic's site they do not need to provide the numbers of credit reporting agencies.
Cryptic definitely dun goofed.. But they are not doing anything illegal that I can see.
Again, this is opinion and I am not a lawyer.
Still everyone should be compensated for this, in game, because for a good two years EVERYONE'S accounts were VULNERABLE and no security measures were taken to secure the network or even inform the Community of the breach, all the while they have the gul to have us pay them MONEY for Lockboxes and Subs while our info was not properly protected.
If i'm wrong tell me............I signed up UNDER the ASSUMPTION it was safe in Jun 2011 which is inside the Gap between Dec 2010 and April 2012 and i put my info out there so yeah we ALL deserve some answers and compensation.
There is no legal requirement that I can see there to advertise the breach on the front page of a website. There is no legal requirement to have a thread title be labeled a certain way. Since we did not input our SSN, CA driver's license number, or CA ID card number into Cryptic's site they do not need to provide the numbers of credit reporting agencies.
Cryptic definitely dun goofed.. But they are not doing anything illegal that I can see.
Again, this is opinion and I am not a lawyer.
No their is no legal requirement, but it would be a good idea to inform your customers in as many ways as possible. The ONLY reason I bothered with it, is because I hit the forums routinely. my wife, tossed the email due to its poor wording and appearance as a phishing attempt. Both of us are gamers and are used to the constant stream of phishing attempts, which this had several appearances of, in reading this very forum, and several of the web reports that, is a common theme, many folks thought it was a poor phishing attempt.
Due to that, it would be smart, for them to put up a news blurb about it at least so that folks know. Also this thread as has been pointed out elsewhere, was thought to be a routine thing. Not have anything to do with the hacking. That, isn't helpful at all and doesn't assist your customers in dealing with the issue.
you are entitled to your opinion. but as both of those codes state, they are REQUIRED to report it, its not an option if the conditions are met.
V-Mink someone should dress like your avatar and do the tongue face at Cryptic's Headquarters to scare them to provide better support to us and the game!
Stupid Cryptic you make look bad! Boga Boga Boooga! As Courage the Cowardly Dog's owner did
Hee! And they should perform QoNoS Rock City and Hotter than Gre'Thor.
Actually storing and ability to regurgitate a complete CCN numbers IS a breach of US Federal law under laws similar to HIPPA, but note the word "complete" ; it's why when you get a receipt from ANYone - the number isn't printed on the receipt any more, and if it does contain a number, it's only a partial.
Ah, I see. Yes, this is why they store the aforementioned 'first six digits and last four digits' in one database, and the remaining digits in another. I was talking about the CCV numbers though, those three or four digits that are in addition to the credit card numbers (the three on the back of a MC/Visa card, or the four on the front.) Apparently these are generated in a different manner than the checksum in the CC number itself, and are independent of the CC number. I guess that does count as being part of the complete CC number, though apparently the merchant regulations say that the CCV should not be stored at all. Again, though, *everyone* does this anyway, so I'm not sure how serious MC/Visa/AmEx are about dinging someone who does so.
Still everyone should be compensated for this, in game, because for a good two years EVERYONE'S accounts were VULNERABLE and no security measures were taken to secure the network or even inform the Community of the breach, all the while they have the gul to have us pay them MONEY for Lockboxes and Subs while our info was not properly protected.
If i'm wrong tell me............
Everyone's account was not vulnerable, just the people who created one before the breach in December 2010.
I was informed of the breach via e-mail.
Lockbox and subscription sales have nothing to do with a breach in 2010. Especially lock boxes which did not exist back then.
Besides, wasn't your account created after the breach and was thus unaffected?
Personally I do not care about some special in-game whatever. All I want is for Cryptic to do their best to prevent this from happening again... Which I am sure they do as TRIBBLE happens sometimes in IT as the bad guys never stop doing their bad things to get their lulz or your money.
Everyone's account was not vulnerable, just the people who created one before the breach in December 2010.
I was informed of the breach via e-mail.
Lockbox and subscription sales have nothing to do with a breach in 2010. Especially lock boxes which did not exist back then.
Besides, wasn't your account created after the breach and was thus unaffected?
Personally I do not care about some special in-game whatever. All I want is for Cryptic to do their best to prevent this from happening again... Which I am sure they do as TRIBBLE happens sometimes in IT as the bad guys never stop doing their bad things to get their lulz or your money.
I signed up in that gap of time and BranFlakes in the original OP said that several breaches were made and that is very vague in terms of the time and date which leads me to believe they are hiding a greater breach and only released the Carrier Officer community since they been around since the Atari days and i signed up in the middle of that time and i find this out :eek:
Ah, I see. Yes, this is why they store the aforementioned 'first six digits and last four digits' in one database, and the remaining digits in another. I was talking about the CCV numbers though, those three or four digits that are in addition to the credit card numbers (the three on the back of a MC/Visa card, or the four on the front.) Apparently these are generated in a different manner than the checksum in the CC number itself, and are independent of the CC number. I guess that does count as being part of the complete CC number, though apparently the merchant regulations say that the CCV should not be stored at all. Again, though, *everyone* does this anyway, so I'm not sure how serious MC/Visa/AmEx are about dinging someone who does so.
Everyone's account was not vulnerable, just the people who created one before the breach in December 2010.
I was informed of the breach via e-mail.
Lockbox and subscription sales have nothing to do with a breach in 2010. Especially lock boxes which did not exist back then.
Besides, wasn't your account created after the breach and was thus unaffected?
Personally I do not care about some special in-game whatever. All I want is for Cryptic to do their best to prevent this from happening again... Which I am sure they do as TRIBBLE happens sometimes in IT as the bad guys never stop doing their bad things to get their lulz or your money.
It depends on the nature of the breach. If it could be done once, and the system was not fixed or upgraded to patch that particular vulnerability, then it could be done again. Without knowing how the breach was done -- and I'm not about to ask Cryptic to divulge that information -- or what vulnerabilities it took advantage of -- ditto -- I could only say that it'd be better to be safer than sorry and assume that the bad guys had at least intermittent access to the database in question over an unspecified but probably long period of time. So best to be safe and reset the passwords of everyone and assume everyone was vulnerable, and work from there.
Anything less than that, which is admittedly a very expensive position to take, and qualitative risk management gets involved, which is an altogether different game.
So you know they've reported it, if they've met the conditions to do so? can you please provide a link to said source?
...
(b) Any person or business that maintains computerized data that
includes personal information that the person or business does not
own shall notify the owner or licensee of the information of any
breach of the security of the data immediately following discovery,
if the personal information was, or is reasonably believed to have
been, acquired by an unauthorized person.
I got an e-mail notification.
(d) Any person or business that is required to issue a security
breach notification pursuant to this section shall meet all of the
following requirements:
(1) The security breach notification shall be written in plain
language.
(2) The security breach notification shall include, at a minimum,
the following information:
(A) The name and contact information of the reporting person or
business subject to this section.
(B) A list of the types of personal information that were or are
reasonably believed to have been the subject of a breach.
(C) If the information is possible to determine at the time the
notice is provided, then any of the following: (i) the date of the
breach, (ii) the estimated date of the breach, or (iii) the date
range within which the breach occurred. The notification shall also
include the date of the notice.
(D) Whether notification was delayed as a result of a law
enforcement investigation, if that information is possible to
determine at the time the notice is provided.
(E) A general description of the breach incident, if that
information is possible to determine at the time the notice is
provided.
(F) The toll-free telephone numbers and addresses of the major
credit reporting agencies if the breach exposed a social security
number or a driver's license or California identification card
number.
(3) At the discretion of the person or business, the security
breach notification may also include any of the following:
(A) Information about what the person or business has done to
protect individuals whose information has been breached.
(B) Advice on steps that the person whose information has been
breached may take to protect himself or herself.
(e) A covered entity under the federal Health Insurance
Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d et
seq.) will be deemed to have complied with the notice requirements in
subdivision (d) if it has complied completely with Section 13402(f)
of the federal Health Information Technology for Economic and
Clinical Health Act (Public Law 111-5). However, nothing in this
subdivision shall be construed to exempt a covered entity from any
other provision of this section.
(f) Any person or business that is required to issue a security
breach notification pursuant to this section to more than 500
California residents as a result of a single breach of the security
system shall electronically submit a single sample copy of that
security breach notification, excluding any personally identifiable
information, to the Attorney General. A single sample copy of a
security breach notification shall not be deemed to be within
subdivision (f) of Section 6254 of the Government Code.
(g) For purposes of this section, "breach of the security of the
system" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the person or business. Good faith
acquisition of personal information by an employee or agent of the
person or business for the purposes of the person or business is not
a breach of the security of the system, provided that the personal
information is not used or subject to further unauthorized
disclosure.
(h) For purposes of this section, "personal information" means an
individual's first name or first initial and last name in
combination with any one or more of the following data elements, when
either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(4) Medical information.
(5) Health insurance information.
(i) (1) For purposes of this section, "personal information" does
not include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
(2) For purposes of this section, "medical information" means any
information regarding an individual's medical history, mental or
physical condition, or medical treatment or diagnosis by a health
care professional.
(3) For purposes of this section, "health insurance information"
means an individual's health insurance policy number or subscriber
identification number, any unique identifier used by a health insurer
to identify the individual, or any information in an individual's
application and claims history, including any appeals records.
(j) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the person or business demonstrates that
the cost of providing notice would exceed two hundred fifty thousand
dollars ($250,000), or that the affected class of subject persons to
be notified exceeds 500,000, or the person or business does not have
sufficient contact information. Substitute notice shall consist of
all of the following:
(A) E-mail notice when the person or business has an e-mail
address for the subject persons.
(B) Conspicuous posting of the notice on the Internet Web site
page of the person or business, if the person or business maintains
one.
(C) Notification to major statewide media and the Office of
Privacy Protection within the State and Consumer Services Agency.
(k) Notwithstanding subdivision (j), a person or business that
maintains its own notification procedures as part of an information
security policy for the treatment of personal information and is
otherwise consistent with the timing requirements of this part, shall
be deemed to be in compliance with the notification requirements of
this section if the person or business notifies subject persons in
accordance with its policies in the event of a breach of security of
the system.
Everything is this section is optional per:
(3) At the discretion of the person or business, the security
breach notification may also include any of the following:
Again, I am not a lawyer, but they are doing nothing illegal I can see.
Can you show direct evidence of an illegal act? Or a violation of that civil code?
As far as I can tell, Cryptic has met all the requirements of California Civ. Code s. 1798.82(a) and is not in violation in anyway I can see.
which indicates you know they have complied with the law requirement of notifying the state of California Attorney generals office if they are required to do so, I am asking for proof of said. That isn't proof, that is the legal code and the poorly worded email they sent out. That isn't proof of compliance with the law in regards to them notifying the AG if they have to.
I did not trust the Email that they or what ever was sent so i put it in the Spam Blocker I know PWE and Cryptic links and me I am still haveing issues getting my Second account Back No Respond.
That is the code and the email they sent out, you stated
which indicates you know they have complied with the law requirement of notifying the state of California Attorney generals office if they are required to do so, I am asking for proof of said. That isn't proof, that is the legal code and the poorly worded email they sent out. That isn't proof of compliance with the law in regards to them notifying the AG if they have to.
Where in that civil code are they required to notify the CA General Attorney's office?
Also, how do you know they have not sent that single e-mail? Perhaps you should lawyer up, subpoena their e-mail records, and find out "for sure".
Where in that civil code are they required to notify the CA General Attorney's office?
Also, how do you know they have not sent that single e-mail? Perhaps you should lawyer up, subpoena their e-mail records, and find out "for sure".
any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) and California Civ. Code s. 1798.82(f))
that is where.
And instead of "lawyering up" as you put it, I attempted to ask the person I thought would help me, IE the CM, the Community Manager, because I want to know, without, causing undue hassle for them. trust me if I wanted to "'lawyer up" I wouldn't have bothered with asking here first, that, would be pointless.
So, once again, I ask, have they complied with the requirement? You claim knowledge of them doing so, I'm asking you, since you claim to know, can you please provide a link? The only source I have indicates they have not, but that source may not be up to date. you appear to have knowledge that I do not, so please do share that knowledge.
any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) and California Civ. Code s. 1798.82(f))
They have followed the section of the code in so far as how it applies to us. With regards to their communication with the CA AG, you are not entitled to know nor are you required, by law, to be informed of same. Understand that demands are likely to be interpreted one of two ways (and potentially a combination therein): legally and procedurally.
If you want to know, you'll have to contact the organization yourself. However, they are most likely going to tell you that it is not your business legally to know. This is with good reason.
Again, handling the situation could have been better. I don't argue that. But, I do argue that your demands for proof do not, on the surface, appear to have legal merit. An attorney can better advise you and you're otherwise barking up the wrong tree by using the forums for that demand.
They have followed the section of the code in so far as how it applies to us. With regards to their communication with the CA AG, you are not entitled to know nor are you required, by law, to be informed of same. Understand that demands are likely to be interpreted one of two ways (and potentially a combination therein): legally and procedurally.
If you want to know, you'll have to contact the organization yourself. However, they are most likely going to tell you that it is not your business legally to know. This is with good reason.
Again, handling the situation could have been better. I don't argue that. But, I do argue that your demands for proof do not, on the surface, appear to have legal merit. An attorney can better advise you and you're otherwise barking up the wrong tree by using the forums for that demand.
they may or may not have merit,but consider this, the CA AG website maintains a searchable listing of data breach reports, that is available to the public to search, at any time. So I do think I have the right to ask, since its public information.
Talk about burying the headline. That, along with a VERY misleading thread title tells me you're trying to sweep this latest screwup under the rug.
Absolutely disgusted at how this is being handled.
This thread was provided to provide resources on how to get help if you are having trouble logging in, that's why the title is what it is As I have posted in this thread, all affected users have been/ are being notified by email, and we have a post up here: http://www.crypticstudios.com/ and http://www.crypticstudios.com/securitynotice
they may or may not have merit,but consider this, the CA AG website maintains a searchable listing of data breach reports, that is available to the public to search, at any time. So I do think I have the right to ask, since its public information.
Consideration of public records is irrelevant in this context. You are simply asking the wrong person in the wrong media for the information you want. Contact their legal counsel directly. Contact the CA AG directly. Both of those will be your options. Failing that, contact an attorney to do this for you.
The forums are not the place to demand legal information or documentation. That's the long and short of it no matter how you slice it.
Comments
You're asking legal questions that Brandon is neither qualified to answer nor should he. Keep in mind, he is not in the company legal department. What he can do, and probably has done, is forward your request to the legal counsel and they can determine whether a response to the user base is warranted in the fashion you're requesting.
I'm not saying the customers don't deserve answers by any means. I am, however, saying don't shoot the messenger.
Brandon may very well be the reason why some people remain loyal...
There are many, many here that know him IRL. Many that knew him before he was community manager here. And many that know him from "other places." His extraordinary virtues bleed well into his performance! I find it amazing that he is willing to volunteer his integrity to help clot PWEs hemorrhaging credibility.
+1 kudos
Or are they saying some passwords have been reset due to maintenance and my account was not subject to any type of hack??
He doesn't need to be a legal rep to know if they are or are not going to comply with the law. It isn't optional for them. its a REQUIREMENT. All he has to do is ask them, hey have we done this? if they answer yes, then state as such. if they haven't then he can give them the "look" and get that going.
Telling us they've complied with the law, is a good thing, not telling us, leads to speculation, which they can't afford. As you well know they have blundered several times recently, but this one, has some serious potential to cost them dearly.
A quick look through the thread has revealed numerous folks pulling all credit information from them, meaning they're losing the ability for "easy" sales. Some folks will not ever trust them again due to this.
me, I'm effected, and I'm not happy, I've got to protect my identity for safety reasons. Some folks out there would love to harm me simply due to my job. My knowing they're complying with the law, is important, because it will allow me to do things if I need to on my end.
why was I not given proper notification you owe me that
there is an event tomorrow right which I am screwed on because of BS i can not get in whay is this
how is this fair
I have spent alot of time and money to have you play games with my account not funny
you want me to spam bud
I know this - and frankly, my previous posts outlined these very facts.
Thank, fella. I didn't realise that Google hid the folder - I was looking in deleted.
+1 to you.
But, it also is not his place to speak for the Cryptic legal department. He's the community manager for one of Cryptic's online games; and he's informed the community of the incident; and given the steps required for affected users to reset their passwords and regain access to their locked ac****s. His responsability ends there.
The fact that Cryptic put put a press release on the Cryptic company site shows they are not covering this event up; but that said, if they don't comply with the federal laws of the U.S., and/or the laws of the state they are incorporated in; then they are indeed subject to the fines and penalties associated with non-compliance.
But that doesn' necessarily mean you as a customer are entitled to know if/when/how they will comply (were you a shareholder things would be different); and if you feel they are not doing something to your satisfaction, you, as a customer are free to sever all ties, and stop doing any nfuture business with Cryptic.
IANAL ("I Am Not A Lawyer"), but it appears that the primary difference between those two civil codes is that one applies to an agency and the other to a person or business. I do not believe Cryptic is considered an agency but regardless both codes say the same thing.
As far as I can tell, Cryptic has met all the requirements of California Civ. Code s. 1798.82(a) and is not in violation in anyway I can see.
There is no legal requirement that I can see there to advertise the breach on the front page of a website. There is no legal requirement to have a thread title be labeled a certain way. Since we did not input our SSN, CA driver's license number, or CA ID card number into Cryptic's site they do not need to provide the numbers of credit reporting agencies.
Cryptic definitely dun goofed.. But they are not doing anything illegal that I can see.
Again, this is opinion and I am not a lawyer.
Still everyone should be compensated for this, in game, because for a good two years EVERYONE'S accounts were VULNERABLE and no security measures were taken to secure the network or even inform the Community of the breach, all the while they have the gul to have us pay them MONEY for Lockboxes and Subs while our info was not properly protected.
If i'm wrong tell me............I signed up UNDER the ASSUMPTION it was safe in Jun 2011 which is inside the Gap between Dec 2010 and April 2012 and i put my info out there so yeah we ALL deserve some answers and compensation.
No their is no legal requirement, but it would be a good idea to inform your customers in as many ways as possible. The ONLY reason I bothered with it, is because I hit the forums routinely. my wife, tossed the email due to its poor wording and appearance as a phishing attempt. Both of us are gamers and are used to the constant stream of phishing attempts, which this had several appearances of, in reading this very forum, and several of the web reports that, is a common theme, many folks thought it was a poor phishing attempt.
Due to that, it would be smart, for them to put up a news blurb about it at least so that folks know. Also this thread as has been pointed out elsewhere, was thought to be a routine thing. Not have anything to do with the hacking. That, isn't helpful at all and doesn't assist your customers in dealing with the issue.
you are entitled to your opinion. but as both of those codes state, they are REQUIRED to report it, its not an option if the conditions are met.
Hee! And they should perform QoNoS Rock City and Hotter than Gre'Thor.
Ah, I see. Yes, this is why they store the aforementioned 'first six digits and last four digits' in one database, and the remaining digits in another. I was talking about the CCV numbers though, those three or four digits that are in addition to the credit card numbers (the three on the back of a MC/Visa card, or the four on the front.) Apparently these are generated in a different manner than the checksum in the CC number itself, and are independent of the CC number. I guess that does count as being part of the complete CC number, though apparently the merchant regulations say that the CCV should not be stored at all. Again, though, *everyone* does this anyway, so I'm not sure how serious MC/Visa/AmEx are about dinging someone who does so.
Everyone's account was not vulnerable, just the people who created one before the breach in December 2010.
I was informed of the breach via e-mail.
Lockbox and subscription sales have nothing to do with a breach in 2010. Especially lock boxes which did not exist back then.
Besides, wasn't your account created after the breach and was thus unaffected?
Personally I do not care about some special in-game whatever. All I want is for Cryptic to do their best to prevent this from happening again... Which I am sure they do as TRIBBLE happens sometimes in IT as the bad guys never stop doing their bad things to get their lulz or your money.
I signed up in that gap of time and BranFlakes in the original OP said that several breaches were made and that is very vague in terms of the time and date which leads me to believe they are hiding a greater breach and only released the Carrier Officer community since they been around since the Atari days and i signed up in the middle of that time and i find this out :eek:
Oop! I apologize. My brain saw CCN, not CCV.
It depends on the nature of the breach. If it could be done once, and the system was not fixed or upgraded to patch that particular vulnerability, then it could be done again. Without knowing how the breach was done -- and I'm not about to ask Cryptic to divulge that information -- or what vulnerabilities it took advantage of -- ditto -- I could only say that it'd be better to be safer than sorry and assume that the bad guys had at least intermittent access to the database in question over an unspecified but probably long period of time. So best to be safe and reset the passwords of everyone and assume everyone was vulnerable, and work from there.
Anything less than that, which is admittedly a very expensive position to take, and qualitative risk management gets involved, which is an altogether different game.
(b) Any person or business that maintains computerized data that
includes personal information that the person or business does not
own shall notify the owner or licensee of the information of any
breach of the security of the data immediately following discovery,
if the personal information was, or is reasonably believed to have
been, acquired by an unauthorized person.
I got an e-mail notification.
(d) Any person or business that is required to issue a security
breach notification pursuant to this section shall meet all of the
following requirements:
(1) The security breach notification shall be written in plain
language.
(2) The security breach notification shall include, at a minimum,
the following information:
(A) The name and contact information of the reporting person or
business subject to this section.
(B) A list of the types of personal information that were or are
reasonably believed to have been the subject of a breach.
(C) If the information is possible to determine at the time the
notice is provided, then any of the following: (i) the date of the
breach, (ii) the estimated date of the breach, or (iii) the date
range within which the breach occurred. The notification shall also
include the date of the notice.
(D) Whether notification was delayed as a result of a law
enforcement investigation, if that information is possible to
determine at the time the notice is provided.
(E) A general description of the breach incident, if that
information is possible to determine at the time the notice is
provided.
(F) The toll-free telephone numbers and addresses of the major
credit reporting agencies if the breach exposed a social security
number or a driver's license or California identification card
number.
Here is the notice:
http://crypticstudios.com/securitynotice
(3) At the discretion of the person or business, the security
breach notification may also include any of the following:
(A) Information about what the person or business has done to
protect individuals whose information has been breached.
(B) Advice on steps that the person whose information has been
breached may take to protect himself or herself.
(e) A covered entity under the federal Health Insurance
Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d et
seq.) will be deemed to have complied with the notice requirements in
subdivision (d) if it has complied completely with Section 13402(f)
of the federal Health Information Technology for Economic and
Clinical Health Act (Public Law 111-5). However, nothing in this
subdivision shall be construed to exempt a covered entity from any
other provision of this section.
(f) Any person or business that is required to issue a security
breach notification pursuant to this section to more than 500
California residents as a result of a single breach of the security
system shall electronically submit a single sample copy of that
security breach notification, excluding any personally identifiable
information, to the Attorney General. A single sample copy of a
security breach notification shall not be deemed to be within
subdivision (f) of Section 6254 of the Government Code.
(g) For purposes of this section, "breach of the security of the
system" means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the person or business. Good faith
acquisition of personal information by an employee or agent of the
person or business for the purposes of the person or business is not
a breach of the security of the system, provided that the personal
information is not used or subject to further unauthorized
disclosure.
(h) For purposes of this section, "personal information" means an
individual's first name or first initial and last name in
combination with any one or more of the following data elements, when
either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(4) Medical information.
(5) Health insurance information.
(i) (1) For purposes of this section, "personal information" does
not include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
(2) For purposes of this section, "medical information" means any
information regarding an individual's medical history, mental or
physical condition, or medical treatment or diagnosis by a health
care professional.
(3) For purposes of this section, "health insurance information"
means an individual's health insurance policy number or subscriber
identification number, any unique identifier used by a health insurer
to identify the individual, or any information in an individual's
application and claims history, including any appeals records.
(j) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the person or business demonstrates that
the cost of providing notice would exceed two hundred fifty thousand
dollars ($250,000), or that the affected class of subject persons to
be notified exceeds 500,000, or the person or business does not have
sufficient contact information. Substitute notice shall consist of
all of the following:
(A) E-mail notice when the person or business has an e-mail
address for the subject persons.
(B) Conspicuous posting of the notice on the Internet Web site
page of the person or business, if the person or business maintains
one.
(C) Notification to major statewide media and the Office of
Privacy Protection within the State and Consumer Services Agency.
(k) Notwithstanding subdivision (j), a person or business that
maintains its own notification procedures as part of an information
security policy for the treatment of personal information and is
otherwise consistent with the timing requirements of this part, shall
be deemed to be in compliance with the notification requirements of
this section if the person or business notifies subject persons in
accordance with its policies in the event of a breach of security of
the system.
Everything is this section is optional per:
(3) At the discretion of the person or business, the security
breach notification may also include any of the following:
Again, I am not a lawyer, but they are doing nothing illegal I can see.
Can you show direct evidence of an illegal act? Or a violation of that civil code?
That is the code and the email they sent out, you stated
which indicates you know they have complied with the law requirement of notifying the state of California Attorney generals office if they are required to do so, I am asking for proof of said. That isn't proof, that is the legal code and the poorly worded email they sent out. That isn't proof of compliance with the law in regards to them notifying the AG if they have to.
Talk about burying the headline. That, along with a VERY misleading thread title tells me you're trying to sweep this latest screwup under the rug.
Absolutely disgusted at how this is being handled.
Where in that civil code are they required to notify the CA General Attorney's office?
Also, how do you know they have not sent that single e-mail? Perhaps you should lawyer up, subpoena their e-mail records, and find out "for sure".
any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) and California Civ. Code s. 1798.82(f))
that is where.
And instead of "lawyering up" as you put it, I attempted to ask the person I thought would help me, IE the CM, the Community Manager, because I want to know, without, causing undue hassle for them. trust me if I wanted to "'lawyer up" I wouldn't have bothered with asking here first, that, would be pointless.
So, once again, I ask, have they complied with the requirement? You claim knowledge of them doing so, I'm asking you, since you claim to know, can you please provide a link? The only source I have indicates they have not, but that source may not be up to date. you appear to have knowledge that I do not, so please do share that knowledge.
Thank you.
They have followed the section of the code in so far as how it applies to us. With regards to their communication with the CA AG, you are not entitled to know nor are you required, by law, to be informed of same. Understand that demands are likely to be interpreted one of two ways (and potentially a combination therein): legally and procedurally.
If you want to know, you'll have to contact the organization yourself. However, they are most likely going to tell you that it is not your business legally to know. This is with good reason.
Again, handling the situation could have been better. I don't argue that. But, I do argue that your demands for proof do not, on the surface, appear to have legal merit. An attorney can better advise you and you're otherwise barking up the wrong tree by using the forums for that demand.
they may or may not have merit,but consider this, the CA AG website maintains a searchable listing of data breach reports, that is available to the public to search, at any time. So I do think I have the right to ask, since its public information.
for reference CA AG OFFICE DATA BREACH SEARCH
This thread was provided to provide resources on how to get help if you are having trouble logging in, that's why the title is what it is
Also, if there are any of you that do not remember the email you signed up with/ that email account is no longer active, you can reach out for GM support here: https://support.perfectworld.com/app/cs_cryptic/iss/log
Cheers,
Brandon =/\=
Consideration of public records is irrelevant in this context. You are simply asking the wrong person in the wrong media for the information you want. Contact their legal counsel directly. Contact the CA AG directly. Both of those will be your options. Failing that, contact an attorney to do this for you.
The forums are not the place to demand legal information or documentation. That's the long and short of it no matter how you slice it.
Ive got a question;
2 fleet mates of mine cant reset they password because get cant get into they email account.
What can they do?
Thanx