People defending them are doing so through ignorance. Here are the facts, based on Valves only statement they made through Gamespot. Some people are claiming they did the best they could. This is incorrect since they have expressly stated it was not a hack, it was a caching issue, a caching issue which they caused. They did not do "everything they could" because they should have never caused the problem in the first place. This happened because of Valves negligence and Valve owes, if not a legal duty, a moral duty of care to its userbase which includes not making their personal information available to random people on the internet. Make no mistake, what happened, based on all the information we have so far which includes a statement from Valve themselves, was Valves fault, it had nothing to do with any kind of external attack.
Some are arguing that it is not a big deal. If you do not think that giving out personal details of users which includes their real name, home address, email address as well as incomplete credit card and phone numbers (which can be used to assist in identity theft via social engineering), to random people on the internet is not a big deal, then I'm not sure which planet you are living on. The "its in a phonebook anyway" argument is phony. You need certain information to look people up in a phonebook and what is this, 1985? A bunch of people aren't listed in phonebooks anymore, you can't look up my mobile phone number or get my address from a phonebook because it isn't there. The age of landlines is long gone. Even if it that were the case, there is a clear difference between going out of your way to find someones personal information and being handed it on a silver platter. Companies aren't supposed to be giving out peoples personal information, period.
Whats the harm, you might ask. Whats the harm in doxxing? Do I really need to answer that? Perhaps I'm a little more sensitive to it than most would because I've had friends with automatic weapons pointed at their heads because they got swatted, or at the mercy of endless real life harassment, blackmail threats and much more because their personal information got out online. Claiming it is not as bad as PSNs hack where full credit card information was stolen, while true, is like saying "well its ok because it was just a regular bomb, not nuclear". Bad stuff is not binary, there is not merely one state of "bad". What Valve did was bad. What level of bad is quite frankly not relevant to the discussion. Did Valve break any laws? I am not a lawyer, dunno, though my limited knowledge of the Data Protection Act in the UK indicates they might have. That's a topic for real lawyers. The concept at play would probably be tort and determining whether through their own negligence, Valve caused potential harm to the users it had a duty of care to.
Will be interesting to see how that shakes out over the next few days. There is a key difference between user data exposed through a hack and user data exposed due to Valves own mistake. It's totally fair to be mad at companies that lose your data through a hack. They should have done a better job protecting your data. However it's also worth considering that they were attacked and no form of security is 100% bulletproof. You don't have to condone a company in that position but you can at least have a certain degree of sympathy that they were also the victim of a crime. In this case, Valve doesn't have this defense. They were not the victim of a crime, they were the perpetrator of a negligent act which has the potential to put some of its users in harms way. Hopefully that clears up some of the misconceptions surrounding this situation and clearly explains why it is entirely ok to be upset about it.