Home » Cybersecurity » SBN News » ESA’s E3 web security negligence endangers more than 2000 game media journalists, investors, after accidental leak exposes PII data

ESA’s E3 web security negligence endangers more than 2000 game media journalists, investors, after accidental leak exposes PII data

by Savia Lobo on August 5, 2019

A few days ago, the Entertainment Software Association accidentally leaked a spreadsheet including personal information of about 2,025 games industry journalists, content creators, video producers on its E3 ( Electronic Entertainment Expo) website making it publically available.

The information including details such as names, publications, home addresses, email addresses, and phone numbers was captured when they registered for E3. Hackers or bad actors can use this information to harass journalists or investors.

The existence of this spreadsheet was first reported by a journalist, Sophia Narwitz who posted it on her personal YouTube channel on Friday, August 2. In the video, Narwitz described, “On the public E3 website was a web page that carried a link simply titled ‘Registered Media List.’ Upon clicking the link, a spreadsheet was downloaded that included the names, addresses, phone numbers, and publications of over 2,000 members of the press who attended E3 this past year.”

ESA told VentureBeat, “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.”

Narwitz tweeted, a group of journalists has been focusing on discrediting her, “Given that the ESA just caused a lot of suffering for many game journalists, I actually hate being on the offensive here, but the way folks in the media are lying about me and trying to bury me, it makes me really wanna scream about their lack of ethics.”

The attempt to pin this all on you is terrible and disgusting. I’m sorry you are going through this when they should be thanking you for exposing the leak that the ESA refused to do anything about for a month.
The ESA only took action after your work. https://t.co/qbTQZcYqEM
— Mark Kern (@Grummz) August 4, 2019

Although the E3 website is updated and the link to the spreadsheet no longer exists, a cached version of the site does “show a link titled “Registered Media List” used to appear on a “Helpful Links” page. For some time yesterday, even after this page was removed, clicking on the link in the easily-accessible Google cached version of the page would download the spreadsheet from the E3 website’s servers,” states Kotaku, a video game website and blog.

ESA, in a statement, to GamesIndustry.biz said, it provides “ESA members and exhibitors a media list on a password-protected exhibitor site so they can invite you to E3 press events, connect with you for interviews, and let you know what they are showcasing. For more than 20 years there has never been an issue.”

This accidental leak has serious potential to impact ESA’s image given that E3 is a prestigious event that companies pay the organization a lot of money to show up to. Also, “the ESA website was likely also accessible from Europe, and it contained info for European members of the press. That could turn this into a GDPR (General Data Protection Regulation) issue,” VentureBeat reports.

Users and gamers who attended E3 are disappointed and angry over ESA “accidental leak”. Some users say ESA should have been careful about their security measures and taken precautions to keep personal information of thousands of journalists.

Re: ESA leak
I have friends in cybersec, and I’ve learned valuable lessons from them about how to protect myself. I don’t use my real name on socials, I don’t ever give my real number, I have proxy emails.
None of that matters now, thanks to the ESA
Disappointed, angry, scared
— Pepin (@Dom_Pepin) August 3, 2019

Nathan Ditum, an Editor at a Playstation Access, attended the E3 this year, tweeted “Many journalists and content creators are freelancers and work from home addresses. This leak isn’t just clumsy, it’s a real cause for concern.”

Here’s the first contact from the ESA. It doesn’t confirm I’m on the list (I am), what details have been shared, or give an explanation as to how this happened. This is, even at this stage, surprisingly poor. pic.twitter.com/5DEtb3M1hF
— Nathan Ditum (@NathanDitum) August 3, 2019

A content creator with the handle @Parris tweeted he is “getting random texts saying they have my personal info, including my home address and putting my family at risk.”

went to bed upset about The ESA leak and I am furious this morning, Getting random texts saying they have my personal info, including my home address and putting my family at risk IS NOT OK! For those affected do what you can to protect yourself
— Parris (@vicious696) August 3, 2019

A gaming news commentator at SDGC tweeted, “The ESA’s carelessness and negligence has put the private information of thousands of games media employees in the hands of harassers.”

To say that the ESA effectively doxxed the people who attended E3 2019 would not be an understatement
They took next to no precautions with the personal information of THOUSANDS of journalists
The ESA must be held to task for the dangerous situation they’ve put people in
— Derek Van Dyke 🔜 PAX West (@DerekOfTheD) August 3, 2019

A user on Reddit writes, “There’s a legitimate question of whether there will even be an E3 next year after this. Because there’s absolutely no question that the ESA is getting sued heavily over this. Especially since European journalists are on this. Which means the ESA’s going to be subject to GDPR. It’s hard to really overstate how potentially devastating this is going to be for them.”

Another Reddit user writes, “What’s unforgivable is at this point, things like this have happened so many times and you still have people who refuse to take their security seriously and double-check their work. It’s just negligent at this point.”

I spoke with three lawyers (2 US, 1 UK) about the ESA’s data breach and how the courts may view cases brought against the lobbying agency for violation of privacy and improper sharing of personal information. @theESA‘s response to this situation has been severely lacking. https://t.co/royuIPEiP2
— Mike Futter (@Futterish) August 3, 2019