E3 organizer leaks personal info of over 2,000 media and content creators

(Image credit: ESA)

The Entertainment Software Association has apologized for leaking the personal information of 2,000 journalists, content creators, and industry professionals. The ESA told PC Gamer that a "website vulnerability" led to the list of E3 2019 registrants becoming publicly available.

"ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public," the industry organization said. "Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again."

The information was submitted as part of the E3 registration process, and included addresses and phone numbers. The ESA emailed an apology to the people affected by the leak, explaining that the list is maintained in order to enable exhibitors to send invitations and set up appointments. 

"For more than 20 years there has never been an issue. When we found out, we took down the E3 exhibitor portal and ensured the media list was no longer available on the E3 website," it wrote. "Again, we apologize for the inconvenience and have already taken steps to ensure this will not happen again."

That apology may not be sufficient, however. Attorney Jas Purewal, whose Purewal and Partners law firm specializes in digital entertainment and tech industries in the EU, told Game Daily that the ESA could be at risk of a potentially substantial fine for violating the General Data Protection Regulation (GDPR), because the leak included information about European citizens.

"To be fair to the ESA, details of exactly how this data was stored and could be accessed are still unclear," Purewal said. "If however reports are correct that E3 attendee data was simply being stored in an open spreadsheet which anyone with a link could access, this would not look good for the ESA."

The matter is complicated by the fact that the ESA doesn't maintain a presence in the European Union, which Purewal said "represents one of the significant limitations of GDPR" in terms of enforcement. The exact nature of the leak, which would also impact any potential GDPR penalties, isn't clear yet either, although YouTuber Sophia Narwitz, who first discovered and reported on the exposed information, told Buzzfeed that the spreadsheet "wasn’t password protected, it was just in the open for anyone to download with a single click." 

According to an explanation of encryption requirements from Townsend Security, that's a potentially gross violation of GDPR requirements. Exacerbating the situation further from a potential liability standpoint is the fact that some people are already reporting incidents of targeted harassment resulting from the leak, including anonymous phone calls and text messages. 

Any musing about a possible GDPR sanction is speculative at this point, but it could be very bad news for the ESA if it happens: Implemented in 2018, the GDPR strictly regulates the use of an individual's personal information, and violations can result in fines of up to €20 million ($22.4 million USD) or four percent of a company's previous-year worldwide annual revenues, whichever is higher.

Update: The ESA has issued a statement saying that the leaked file was located on a password-protected section of the E3 website that was intended only for exhibitors. "As soon as we learned of this issue, we took immediate action. We removed the file from the website, we disabled access to the site’s exhibitor portal, and we notified those affected. In addition, we launched a process to locate and remove private and public caches and other publicly-accessible online locations that contained the file," an ESA rep said.

It also revealed that previous media contact lists, from 2004 and 2006, had been accessible via a "third-party internet archive site." It didn't say how long those lists were accessible by the public, but they have been taken offline as well.

"These were not files hosted on ESA’s servers or on the current website. We took immediate steps to have those files removed, and we received confirmation today that all files were taken down from the third-party site. We also immediately notified those persons impacted. General attendee information was not affected in this situation," the ESA said.

"We are working with our partners, outside counsel, and independent experts to investigate what led to this situation and to enhance our security efforts. We are still investigating the matter to gain a full understanding of the facts and circumstances that led to the issue."

Andy Chalk

Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.