The people who have been attempting to get refunds, resolution, and/or replacements for the bags that were promised but never delivered in the Fallout 76: Power Armor Edition have mistakenly been doxed by Bethesda.

Unfortunately, this is not hyperbole.

Bethesda’s ticket support system — that customers were supposed to use in order to receive the canvas bag replacement that they were originally promised as part of the $200 collector’s edition — glitched.

The glitch made it where personal data, including payment types, personal addresses, photos, and other identifying information, were made publicly visible to an uncertain amount of other people who were logged into their Bethesda account on the support page of the website.

@BethesdaSupport I am receiving other people’s support tickets on my @bethesda account. I have numerous people receipts for power armor set that includes their email & home address and the type of card used. This is not good, right? #Fallout76 pic.twitter.com/KUpGCNfIF0 — Jessie Tracy (@JesscaTracy9) December 5, 2018

In short, people were doxed while trying to resolve a situation that Bethesda created.

The issue managed to make its way to the top of the Fallout 76 sub-reddit, where users joked about the personal information being leaked. User Jessiepie wrote…

“I am a gleeful vault dweller as yourselves and as of this moment I am receiving every single one of your support tickets on my Bethesda account. Mostly it’s your receipts for you power armor set requesting a new bag. These receipts contain all your info. Your email and home address and the card you used to buy this extremely glitched game. I can see the problems you are having with the game, yes I’m having them too. And I know a few of you want a refund that Bethesda has said can’t happen. I can update your ticket for you, if you’d like. And close it! How fun is that? Please rest assure I have no desire to stalk you or mess with your Fallout 76 experience. I just wanted to let y’all know that this is happening atm. Anyway, I gave Bethesda a heads up via the Twitter. So we will see.”

According to Jessie, there are eight pages worth of refund requests regarding the Fallout 76: Power Armor Edition. She was able to view all of the support tickets and even communicate with the customers.

People who have access to the support ticket information can see everything.

Originally it was believed that just Jessie had access to this information, but it turns out that multiple people were given access to everyone’s information who sent in a support ticket regarding the situation involving getting a canvas bag replacement for the cheap nylon bag that Bethesda included in the collector’s edition.

Another user on Reddit shared a photo of having access to all the personal user data from those who submitted a support ticket.

Apparently there were others on Twitter sharing the photos of having access to other users’ personal information, as outlined in a video put together by TheQuartering.

Hours after the news went wild throughout social media, community manager Lady Devann made a short post on the Bethesda forums indicating that the issue was “resolved”.

Devann kept the info curt, leaving many to wonder exactly what went wrong and how. We also don’t know exactly who all had access to the personal information of Bethesda customers, nor for how long they had access to that information.

Bethesda hasn’t made any announcements on their support page about the personal information being leaked, as of the writing of this article.

However, according to the EU’s GDPR, they are required to make an announcement within 72 hours of the data breach to inform customers about personal information being leaked, which is explained in Article 33 Section 1 of the EU GDPR, which states…

“ In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

So Bethesda has over the course of the next two days to make an announcement or they could be violation of the General Data Protection Regulation standards.

Since Zenimax isn’t publicly traded they’re not bound by the SEC’s rules to disclose data breaches, as outlined in a press statement made by SEC chairman Jay Clayton back on February 21st, 2018. However, there has been recent legislation to force private organizations to disclose when their customer databases have incurred a privacy leak, as outlined on the National Conference of State Legislatures on September 29th, 2018, which states…

“All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.”

Bethesda may attempt to play it off that it was a glitch in the system, but privacy data leaking into the public domain is still privacy data leaking into the public domain.

Regardless of whether Bethesda formally announces the breach of data or not, some lawyers are already looking for plump pickings from the consumers who have been affected by the breach, with a cyberlaw attorney hopping into the Reddit thread to inform gamers that Bethesda is potentially liable for a lawsuit with their recent behavior, writing…

“If anyone has been affected by this or displeased about purchasing a collector’s edition set with a Nylon bag feel free to reach out to me. I’ve been investigating potential legal claims against Bethesda regarding both issues, this has gotten past a point of absurdity.”

So now Bethesda not only has the potential class action lawsuit on their hands regarding the denial of consumer refunds for Fallout 76, but there’s also the bait-and-switch of the canvas bag that falls into false advertisement territory, and now they could be facing multiple suits from customers who have had their data breached unintentionally.

While some users are joking about the lack of security and competence from Bethesda, there’s also the very frightening reality of what could happen if malicious hackers or other identity thieves make use of the personal information that was made publicly available through Bethesda’s ticket system.

And what’s even more damning than all of this doxing, is that according to various users, the /r/Games threads outlining how Bethesda has mistakenly doxed its users have been censored and deleted.

Card



[Update:] Bethesda has finally issued a statement on the matter via twitter.

(Thanks for the news tip Blaugast and Cesario)