Video Gamer is reader-supported. When you buy through links on our site, we may earn an affiliate commission. Prices subject to change. Learn more
Last weekend, the Entertainment Software Association leaked personal information from the E3 2019 media list for over 2,000 registered games journalists, YouTube content creators, Wall Street analysts, and Tencent employees.
In order to receive a press badge at E3, the name, phone number, home and email addresses of the journalist is given to the ESA, so that companies attending the expo can invite press to events and meetings efficiently and easily. Shockingly, this confidential spreadsheet of sensitive information for this year’s expo was freely available to view on the E3 website, as reported by independent journalist Sophia Narwitz.
On the website, there was a link for ‘Registered Media List.’ This would take you directly to the spreadsheet, and although Narwitz notified the ESA, and the organisation removed the file, it was not before people had downloaded it. It’s now impossible to tell who has the list and how widely it’s been shared.
So the threatening phone calls are cool
— Liana 'LiLi' Ruppert (@DirtyEffinHippy) August 3, 2019
went to bed upset about The ESA leak and I am furious this morning, Getting random texts saying they have my personal info, including my home address and putting my family at risk IS NOT OK! For those affected do what you can to protect yourself
— Parris (@vicious696) August 3, 2019
It's so unbelievable irresponsible and negligent. This is going to follow people for years. I just hope nothing violent like a swatting happens. Physical addresses being revealed is by far the scariest part.
— Brandon Carbaugh (@BMCarbaugh) August 3, 2019
Moreover, the spreadsheet link was accessible from Europe, and held information on European games journalists. This would then cause the breach to be a General Data Protection Regulation (GDPR) violation; the maximum fine for which is €20 million.
As reported by VentureBeat, the ESA responded to the catastrophic dissemination of data with a statement: ‘ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.’
As discovered on Monday, this action was not enough. Yesterday, Kotaku reported that the ESA emailed the media attendees of the 2004 and 2006 E3 conventions to say that their contact information had also been leaked. The email explains, ‘In the course of our investigation, we learned that media contact lists from E3 2004 and 2006 were cached on a third-party internet archive site. These were not files hosted on ESA’s servers or on the current website. We took immediate steps to have those files removed, and we received confirmation today that all files have either been taken down or are in the process of being removed from the third-party site.’
‘We are working with our partners, outside counsel, and independent experts to investigate what led to this situation and to enhance our security efforts. We are still investigating the matter to gain a full understanding of the facts and circumstances that led to the issue.’
The contact lists for 2004 and 2006 contained over 2,800 records of journalists’ personal information in one case, and 3,300 in another, GamesIndustry.biz posted yesterday. Once again, this is a devastating mishandling of sensitive data, and the trust and support invested into E3 has evaporated with calls for a class-action lawsuit against the ESA. It used to be an enduring event for the games industry, but now E3 2020 looks even less likely than it did before.
