14 DAY TRIAL // After asking for their customers' personal information in Fallout 76 support tickets, American video game publisher Bethesda Software LLC exposed those tickets to public access allowing anyone to view, edit, and resolve them.
The support tickets were accessible by anyone who submitted their own, with tickets containing names, usernames, addresses, and emails opened by other people automatically being sent to the wrong accounts for a limited period.
"From our investigation, we have learned that, on December 5, 2018, there was a brief period of time which customers accessing our Customer Support website may have been able to view the customer support tickets submitted by other customers during this same time period," said Bethesda.
However, according to Bethesda, passwords and credit card numbers were not disclosed during the glitch incident affected its customer support website.
“We experienced an error with our customer support website that allowed some customers to view support tickets submitted by a limited number of other customers during a brief exposure window. Upon discovery, we immediately took down the website to fix the error," added Bethesda.
Bethesda risks a €20 million administrative fine following the privacy breach incident
Moreover, Bethesda said that at most 123 customer support tickets were impacted during the exposure window, with roughly 65 of them containing personal data.
Furthermore, Bethesda stated in a tweet that "Based on our current investigation, we believe this exposure window lasted approximately 45 minutes."
Bethesda started an investigation to find the exact issue which triggered the customer support website glitch and will provide additional updates as soon as any extra info regarding the privacy exposure event is unearthed.
Since EU's GDPR regulation was put in place during May 2018, Bethesda might be fined with €20 million or up to 4% of its annual global turnover, whichever is greater, if EU citizens were affected by the data leak.
It's also important to mention though that not all GDPR infringements will eventually lead to fines, seeing that a company's GDPR compliance can reduce the risk of an administrative penalty.
