Sit closer, boys and girls. I’ve got a tale of massive security fail for you.
Remember when we were all wowed by Watch Dogs back at E3 2012 simply because Ubisoft managed to keep their mouths shut? Loose lips sink ships, and while Ubisoft managed to keep exclusive-hungry journalists at bay, they failed altogether at keeping other secrets. The company violated a trust that is, in my opinion, more important than any NDA—the one between a company and a customer.
When Watch Dogs was announced, keen eyes spotted a QR code within the gameplay demo. Scanning that QR code took you to www.dotconnexion.com, a website based in the Watch Dogs universe. There, you could opt to sign up for an email list to be informed of when the “dotconnexion exhibit” (a fictional art exhibit in-game) would open. Presumably, signing up for the email meant you were interested a Watch Dogs alternate reality game (ARG). I haven’t taken part in an epic AR game of the likes of “iluvbees”, so I signed up thinking it’d be pretty cool.
Five days ago, the first emails related to the dotconnexion exhibit went out, declaring that due to Joseph DeMarco’s death, the exhibit would be cancelled. Shortly afterwards, another email from “Joseph DeMarco” was sent out, officially kicking off the game. But I noticed that rather than being blind copied to the email, I was looking at what I can only presume is the first hundred alphabetized emails… mine included.
At the time, I wasn’t sure whether or not Ubisoft had intentionally done this or not. You can see my confusion in my first post regarding the first set of Watch Dogs emails. In my ever-trusting naivety, I thought that maybe Ubisoft had done it on purpose with “fake” emails in there to drop hints or throw me off track in this AR game. After a few emails from different users calling Ubisoft out in anger regarding the security breach, I realized that whomever was in charge of sending out these emails had hit the equivalent of “reply all” to the first unfortunate hundred whose emails came up in the dotconnexion site.
Despite various outlets reporting on the security issue, Ubisoft remained silent. RipTen attempted to contact Ubisoft PR to see what steps the company would be taking to patch such a security issue. Unfortunately, we’ve yet to receive a comment. However, I received this email from Ubisoft in the account that I used when signing up on the dotconnexion site:
Recently we discovered some users’ email addresses were disclosed due to human error. We sincerely apologize for this and would like to stress that Ubisoft takes privacy matters very seriously. As a precaution, we are removing your email from our marketing database.
If you’d like to continue to receive updates and news on Watchdogs, update your Uplay account by clicking here.
The Ubisoft Team.”
Excuse me? Ubisoft, your response to leaking out my personal information is to expunge my email from your databases with a perfunctory apology? I know that as soon as the email was sent that there was nothing to be done besides reprimanding the goof who made the “human error.” However, something that is a bit more sincere would be appreciated.
There’s nothing you’re doing as a company to reassure me, as a customer, that you can be further trusted with my personal information. The notice comes days after the incident, and the sudden deletion of email addresses after they’ve been compromised does nothing but trouble those people who don’t wish to be cut off. It’s an odd choice that doesn’t fix a problem caused by someone who didn’t paste the addresses into the BCC field. Frankly, we expect better of those we trust with our personal information, especially in the technology sector. Faster communication and measures that don’t further inconvenience customers would have a gone a long way to smoothing this over.