DrEvil wrote on Nov 10, 2011, 18:36:
Giving details before they could confirm what happened would have been irresponsible.
Absolutely not! The responsible thing to do when you suspect a breach has occured is to alert those customers who may be affected immediately so that they can take precautions. It is much better to err on the side of caution because there is no harm done to the customer for being wrong. Protecting customers first NOT a company's reputation should be the priority.
Four days to properly assess the situation, ensure all systems were secure again, and to determine exactly what caused the damage does not seem unreasonable.
Of course it is unreasonable because first, it gave the crooks a four day headstart to exploit the information they stole. Waiting does nothing to help customers protect themselves in the meantime. Second, it is highly likely that Valve will never fully know the scope of the breakin especially after only four days time. So again waiting doesn't help customers and puts them at further risk. In addition expecting that everything is safe and secure after only four days is absolutely laughable especially when the people making that pronouncement are the same incompetent or irresponsible fools who didn't prevent or stop the breakin in the first place.
These are problems that you can't just throw a huge amount of people at to solve; it takes time.
Sure, it takes time to fix, but NOT to warn. Waiting to warn customers so they can take steps to protect themselves is irresponsible, and it is only done so that a company can keep from looking bad in case it was wrong about a breach.