this post was submitted on 28 Nov 2024
202 points (98.6% liked)

Games

40199 readers
1882 users here now

Welcome to the largest gaming community on Lemmy! Discussion for all kinds of games. Video games, tabletop games, card games etc.

Rules

1. Submissions have to be related to games

Video games, tabletop, or otherwise. Posts not related to games will be deleted.

This community is focused on games, of all kinds. Any news item or discussion should be related to gaming in some way.

2. No bigotry or harassment, be civil

No bigotry, hardline stance. Try not to get too heated when entering into a discussion or debate.

We are here to talk and discuss about one of our passions, not fight or be exposed to hate. Posts or responses that are hateful will be deleted to keep the atmosphere good. If repeatedly violated, not only will the comment be deleted but a ban will be handed out as well. We judge each case individually.

3. No excessive self-promotion

Try to keep it to 10% self-promotion / 90% other stuff in your post history.

This is to prevent people from posting for the sole purpose of promoting their own website or social media account.

4. Stay on-topic; no memes, funny videos, giveaways, reposts, or low-effort posts

This community is mostly for discussion and news. Remember to search for the thing you're submitting before posting to see if it's already been posted.

We want to keep the quality of posts high. Therefore, memes, funny videos, low-effort posts and reposts are not allowed. We prohibit giveaways because we cannot be sure that the person holding the giveaway will actually do what they promise.

5. Mark Spoilers and NSFW

Make sure to mark your stuff or it may be removed.

No one wants to be spoiled. Therefore, always mark spoilers. Similarly mark NSFW, in case anyone is browsing in a public space or at work.

6. No linking to piracy

Don't share it here, there are other places to find it. Discussion of piracy is fine.

We don't want us moderators or the admins of lemmy.world to get in trouble for linking to piracy. Therefore, any link to piracy will be removed. Discussion of it is of course allowed.

Authorized Regular Threads

Related communities

PM a mod to add your own

Video games

Generic

Help and suggestions

By platform

By type

By games

Language specific

founded 2 years ago
MODERATORS
[email protected]
[email protected]
fxomt
[email protected]
[email protected]
202
Blizzard may have violated the UK GDPR following my 2019 Data Erasure Request (lemmy.world)
submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/[email protected]
36 comments fedilink hide all child comments
 

My sincerest apologies in advance to the moderators of /c/games if the below is not suitable for the community. This is extremely loosely related to gaming but concerns a significant player in the industry.

On the morning of Monday, 2024 11 25, I received a text message from my bank notifying me of a potentially fraudulent transaction of $0.00. This resembled some kind of a service test charge.

I was amused to see this was sufficient to trigger such a response from my bank. My account had been paused and my card transactions were halted as a result, though I'm grateful for their diligence.

Looking at the message, it appears to have been from Blizzard Entertainment:

The first time I dealt with them as a customer was around 2016 or 2017. Overwatch was on sale and my friends urged me to pick it up. It wasn't my sort of thing and I quickly put it back down.

I was stupid enough to buy Destiny 2 later on in 2017. The long-timers (or most likely, former players) amongst you may recall that D2 was only available through BattleNet on PC. I think they moved away to Steam a couple years later after parting ways with Activision, and I linked my Steam account to complete the transfer around this time.

Fast-forward to October 2019 and the "Blitzchung controversy". I don't wish to expand on the topic here. I didn't agree with Blizzard's actions around that event, nor did I have any particular reason to retain my online account with them, so I decided to delete it in some extremely minor form of protest.

It seems that a significant number of account holders thought of doing the same thing, as Blizzard started to demand some form of government photo ID to proceed.

I can only presume they employed this tactic as some sort of deterrent, though I was fairly sure it couldn't legally be enforced; what business did they have to ask this of me? They've never needed my drivers license or passport photo before?

After a lengthy back and forth with their support agents, I decided to send them a GDPR data erasure request instead. They immediately honoured my request and notified me that my account and all associated PII would be removed from their systems.

Just over five years later, and I'm randomly greeted with this fraud alert. Mondays are particularly busy for me, as I'm sure they are for many of you. I cursed as I glanced at phone that morning. I don't need more stuff to deal with.

I immediately called my bank and rectified the situation, though I wanted to understand how this happened to begin with. Whilst I was still on the phone to them, I confirmed that:

  • My last payment to Blizzard Entertainment was in 2017 (2 years prior to my GDPR data erasure request)
  • The attempted transaction on Monday originated from Irvine, US (location of their HQ - it wasn't someone using my card details)

I decided to write to Blizzard's customer support. They appear to have a section dedicated to unauthorised payments. My endeavours were unsuccessful.

After explaining all of the above, I pressed them on several key points:

  • What is the purpose of this charge and why did this happen?
  • What data are you retaining on me?
  • Has another user attempted to use my payment information (at this point, I've no reason to suspect my payment info has been compromised)
  • What will you do to prevent this happening again?

I wasn't satisfied with the first response, so I tried again later on.

Check if you have an active World of Warcraft subscription

Couldn't you folks have done that?

Check your recent purchases in your Transaction History

(I had already explained that I had done this as part of my initial query to them)

Make sure that you are logged in to the correct Blizzard account

"An extensive research" to be sure

All of these questions were completely sidestepped. I began to suspect that these were bot generated or generic, canned responses.

If you are indeed real people, and you somehow stumble upon this post, please know that I'm sorry to call you out, and I know you're dealing with my case using the resources you have available.

So why am I mentioning any of this here?

I would love to know if any of you took the same action as I did back in 2019:

  • Did you attempt to close your account following the HK tournament controversy?
  • Did you face the same level of resistance as I did?
  • Did you follow up with a data erasure request?
  • Do you have any reason to suspect that Blizzard are still retaining data on you in 2024?

An associate of mine has pointed out that they may have a legal obligation to retain some records despite my request for data erasure. The question is, why was this service test charge placed?

Thank you for reading through my ramblings.

Have a cosy one.

top 36 comments
sorted by: hot top controversial new old
[–] [email protected] 28 points 7 months ago (1 children)

always assume every corporation always has every bit of data you've ever given them, even if they tell you they "deleted" it

[–] [email protected] 20 points 7 months ago

In the back of my mind, I feel the same way, but at least they can be fined for infractions like this.

[–] [email protected] 18 points 7 months ago (1 children)

https://ico.org.uk/make-a-complaint/data-protection-complaints/

[–] [email protected] 16 points 7 months ago (1 children)

I neglected to mention in the post that I've already reached out to the ICO. Appreciate you linking this here for others in the UK who have dealt with the same thing though

[–] [email protected] 10 points 7 months ago (1 children)

Good shit. My first reaction to posts like these are always "ok but did you actually do anything about it, or just whinge on social media?"

[–] [email protected] 8 points 7 months ago

I suppose I did want to find out if it happened to other people ahead of reaching out, but it can take up to 15 weeks for a case to get looked at, so I figured I'd send it asap.

[–] [email protected] 17 points 7 months ago (1 children)

This is just from memory and I haven't double checked it but.

There's exemptions in GDPR, and some of them are related to financial, tax and safety stuff.

A company has to be able to prove legitimacy of transactions for 10 years in most of Europe, so keeping your card details and transaction history etc for 10 years is within GDPR exemptions for sure.

The real issue here is why the card of someone who has otherwise completely ended their customer relationship with the business was accessed in any way.

[–] [email protected] 4 points 7 months ago (1 children)

Appreciate the information. An associate of mine did allude to this being the case, key thing is they've attempted a transaction on this payment method and I've told them to stop.

[–] [email protected] 4 points 7 months ago* (last edited 7 months ago)

It should definitely no longer be in a system that could attempt a transaction or other checks, it should be archived.

So definitely some sort of case here for sure

[–] [email protected] 15 points 7 months ago (1 children)

My sincerest apologies in advance for an off-topic joke.

This is extremely loosely related to gaming but concerns a significant player in the industry.

ME

[–] [email protected] 3 points 7 months ago

lmao

[–] [email protected] 11 points 7 months ago (1 children)

Did you attempt to close your account following the HK tournament controversy?

I stopped playing Blizzard games after that incident, because I'm not willing to populate the servers of a game company that punishes people for saying a few words in support of human rights. (I might eventually return, since Microsoft has replaced their upper management, but I'm not in a hurry.)

I never deleted my account, though, so I'm afraid I can't offer another point of view on your situation.

[–] [email protected] 6 points 7 months ago

Appreciate the sentiment nonetheless

[–] [email protected] 9 points 7 months ago (1 children)

You need to report this to your local data protection authority (or similar). They didn’t carry out your deletion request, so they would most likely be fined (at least that happens often in my country).

[–] [email protected] 2 points 7 months ago

Yup, reported this to the ICO two days ago.

[–] [email protected] 7 points 7 months ago (1 children)

Whilst it's quite possible they're up to no good, it's also possible that someone is fraudulently using your payment details in Irvine to create a new Blizzard account. It sounds like your bank already blocked your card, which is good, but they may also be able to block payments to Blizzard when the card is unblocked.

[–] [email protected] 3 points 7 months ago (1 children)

I thought about that, but it's an entirely new card. Even if they had the AN, SC, Card number, they'd still need the new expiry date and security number. I don't think these are required for business, however.

[–] [email protected] 4 points 7 months ago (1 children)

Is there any chance your new card details got leaked from somewhere you used them? Using stolen details to sign up to something like that and, say, making a pre-order, would be a good way for a crook to validate them without a transaction appearing on your statement.

If it's not that, then Blizzard definitely have some awkward questions to answer. Good luck!

[–] [email protected] 3 points 7 months ago (1 children)

I suppose there's a chance but it's not even my main payment method. I primarily use an entirely different card from a different vendor for the majority of my purchases today.

I'm also wondering what a fraudulent customer would need to do to warrant a test charge. I can't think of anything an end user would do to invoke an attempt of $0.00 on their first transaction with my details.

[–] [email protected] 3 points 7 months ago (1 children)

Pre-ordering something would usually cause a $0.00 transaction to confirm the card details are valid. It would be a 'pre-auth' transaction where the merchant reserves an amount on the card for payment at a later date, when they ship the item. If a fraudster makes a pre-order they xan validate that the card details are valid, then cancel the order, usually leaving the victim none-the-wiser. In your case, the bank noticed the transaction and notified you, but that seems to be rare. Once the fraudster knows the details are valid, they can sell them on.

It's just a theory, and unless your bank and Blizzard work together to track the transaction, why it happened, and who instigated it, its going to be difficult to get to the bottom of it.

[–] [email protected] 2 points 7 months ago

I see, good to know. There's always potential for that. I suppose we'll see in the coming weeks.

[–] [email protected] 7 points 7 months ago* (last edited 7 months ago) (1 children)

I successfully deleted my account bank then for the same reason. No ID required.

I haven't had any other communications associated with the account deletion, however.

[–] [email protected] 6 points 7 months ago

Thanks for the input. I wonder if you were amongst the first few people to delete their account in response to the controversy.

[–] [email protected] 3 points 7 months ago (2 children)

Probably. Either way good luck heading up against their army of lawyers.

[–] [email protected] 16 points 7 months ago (1 children)

They don't have to.

If they violated gdpr they're going to go up against the UK's lawyers. That's a wonderful thing about consumer protection, the consumer doesn't have to do anything other than make a complaint.

[–] [email protected] 1 points 7 months ago (1 children)

Nice. Hopefully they don’t get paid off to look the other way. I am not hopeful.

[–] [email protected] 5 points 7 months ago (1 children)

Pretty sure the only thing that happens when violating GDPR is a fine, which is ultimately the same thing as "paying off" the government, but just in a legally obligated way.

[–] [email protected] 2 points 7 months ago

Well that's because the ICO doesn't have the teeth of my grandmother.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

That's why we have the ICO here in the UK (and similar government bodies across Europe)

[–] [email protected] 3 points 7 months ago (1 children)

Hmm 0 USD?

[–] [email protected] 3 points 7 months ago

As mentioned near the top, I preusme this was an automated test charge to check the validity of the payment method

[–] [email protected] 2 points 6 months ago (1 children)

I think you’re going about this wrong. You need to represent this as a potential legal issue so they pass it off to the legal department, who will then do things to cover their ass

You don’t want to threaten, just make it legalese enough to make customer support get nervous. Something like citing GDPR sections and expressing your concerns that they have not properly complied with your legally mandated request, then officially requesting all data they still have on you and citing that section of law

[–] [email protected] 2 points 6 months ago* (last edited 6 months ago) (1 children)

I did that in my communications to their support staff.

I've also attempted to contact their legal dept directly with no luck.

[–] [email protected] 2 points 6 months ago (1 children)

Smart…well damn, if they’re that blasé about it I’d consider it a public service to escalate. You could contact Microsoft’s legal department, they might take it more seriously

You could also reach out to an organization like the ACLU in your country, they may or may not do anything with it, but they’ll probably make note of it at least. It could push them to take action in the future

[–] [email protected] 3 points 6 months ago (1 children)

I've reached out to the ICO, hadn't thought about it but I suppose I could try MS legal as well. Good idea

[–] [email protected] 3 points 6 months ago

FWIW, I respect you for going this far, and doing so intelligently. It might just be a little thing, but it’s fighting for your rights. Every inch matters, because they’ll take them all from us if they can