ESA’s E3 web security negligence endangers more than 2000 game media journalists, investors, after accidental leak exposes PII data

A few days ago, the Entertainment Software Association accidentally leaked a spreadsheet including personal information of about 2,025 games industry journalists, content creators, video producers on its E3 ( Electronic Entertainment Expo) website making it publically available. 

The information including details such as names, publications, home addresses, email addresses, and phone numbers was captured when they registered for E3. Hackers or bad actors can use this information to harass journalists or investors.

DevOps Connect:DevSecOps @ RSAC 2022

The existence of this spreadsheet was first reported by a journalist, Sophia Narwitz who posted it on her personal YouTube channel on Friday, August 2. In the video, Narwitz described, “On the public E3 website was a web page that carried a link simply titled ‘Registered Media List.’ Upon clicking the link, a spreadsheet was downloaded that included the names, addresses, phone numbers, and publications of over 2,000 members of the press who attended E3 this past year.”

ESA told VentureBeat, “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.”

Narwitz tweeted, a group of journalists has been focusing on discrediting her, “Given that the ESA just caused a lot of suffering for many game journalists, I actually hate being on the offensive here, but the way folks in the media are lying about me and trying to bury me, it makes me really wanna scream about their lack of ethics.

Although the E3 website is updated and the link to the spreadsheet no longer exists, a cached version of the site does “show a link titled “Registered Media List” used to appear on a “Helpful Links” page. For some time yesterday, even after this page was removed, clicking on the link in the easily-accessible Google cached version of the page would download the spreadsheet from the E3 website’s servers,” states Kotaku, a video game website and blog.

ESA, in a statement, to said, it provides “ESA members and exhibitors a media list on a password-protected exhibitor site so they can invite you to E3 press events, connect with you for interviews, and let you know what they are showcasing. For more than 20 years there has never been an issue.

This accidental leak has serious potential to impact ESA’s image given that E3 is a prestigious event that companies pay the organization a lot of money to show up to. Also, “the ESA website was likely also accessible from Europe, and it contained info for European members of the press. That could turn this into a GDPR (General Data Protection Regulation) issue,” VentureBeat reports. 

Users and gamers who attended E3 are disappointed and angry over ESA “accidental leak”. Some users say ESA should have been careful about their security measures and taken precautions to keep personal information of thousands of journalists.

Nathan Ditum, an Editor at a Playstation Access, attended the E3 this year, tweeted “Many journalists and content creators are freelancers and work from home addresses. This leak isn’t just clumsy, it’s a real cause for concern.

A content creator with the handle @Parris tweeted he is “getting random texts saying they have my personal info, including my home address and putting my family at risk.”

A gaming news commentator at SDGC tweeted, “The ESA’s carelessness and negligence has put the private information of thousands of games media employees in the hands of harassers.”

A user on Reddit writes, “There’s a legitimate question of whether there will even be an E3 next year after this. Because there’s absolutely no question that the ESA is getting sued heavily over this. Especially since European journalists are on this. Which means the ESA’s going to be subject to GDPR. It’s hard to really overstate how potentially devastating this is going to be for them.”

Another Reddit user writes, “What’s unforgivable is at this point, things like this have happened so many times and you still have people who refuse to take their security seriously and double-check their work. It’s just negligent at this point.”

Read Next

GDPR complaint in EU claim billions of personal data leaked via online advertising bids

Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram

Unprotected Elasticsearch database exposes 2 billion user records from smart home devices

*** This is a Security Bloggers Network syndicated blog from Security News – Packt Hub authored by Savia Lobo. Read the original post at: