The Entertainment Software Association has apologized for leaking the personal information of 2,000 journalists, content creators, and industry professionals. The ESA told PC Gamer that a "website vulnerability" led to the list of E3 2019 registrants becoming publicly available.
"ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public," the industry organization said. "Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again."
The information was submitted as part of the E3 registration process, and included addresses and phone numbers. The ESA emailed an apology to the people affected by the leak, explaining that the list is maintained in order to enable exhibitors to send invitations and set up appointments.
"For more than 20 years there has never been an issue. When we found out, we took down the E3 exhibitor portal and ensured the media list was no longer available on the E3 website," it wrote. "Again, we apologize for the inconvenience and have already taken steps to ensure this will not happen again."
That apology may not be sufficient, however. Attorney Jas Purewal, whose Purewal and Partners law firm specializes in digital entertainment and tech industries in the EU, told Game Daily that the ESA could be at risk of a potentially substantial fine for violating the General Data Protection Regulation (GDPR), because the leak included information about European citizens.
"To be fair to the ESA, details of exactly how this data was stored and could be accessed are still unclear," Purewal said. "If however reports are correct that E3 attendee data was simply being stored in an open spreadsheet which anyone with a link could access, this would not look good for the ESA."
The matter is complicated by the fact that the ESA doesn't maintain a presence in the European Union, which Purewal said "represents one of the significant limitations of GDPR" in terms of enforcement. The exact nature of the leak, which would also impact any potential GDPR penalties, isn't clear yet either, although YouTuber Sophia Narwitz, who first discovered and reported on the exposed information, told Buzzfeed that the spreadsheet "wasn’t password protected, it was just in the open for anyone to download with a single click."
According to an explanation of encryption requirements from Townsend Security, that's a potentially gross violation of GDPR requirements. Exacerbating the situation further from a potential liability standpoint is the fact that some people are already reporting incidents of targeted harassment resulting from the leak, including anonymous phone calls and text messages.
Any musing about a possible GDPR sanction is speculative at this point, but it could be very bad news for the ESA if it happens: Implemented in 2018, the GDPR strictly regulates the use of an individual's personal information, and violations can result in fines of up to €20 million ($22.4 million USD) or four percent of a company's previous-year worldwide annual revenues, whichever is higher.
Update: The ESA has issued a statement saying that the leaked file was located on a password-protected section of the E3 website that was intended only for exhibitors. "As soon as we learned of this issue, we took immediate action. We removed the file from the website, we disabled access to the site’s exhibitor portal, and we notified those affected. In addition, we launched a process to locate and remove private and public caches and other publicly-accessible online locations that contained the file," an ESA rep said.
It also revealed that previous media contact lists, from 2004 and 2006, had been accessible via a "third-party internet archive site." It didn't say how long those lists were accessible by the public, but they have been taken offline as well.
"These were not files hosted on ESA’s servers or on the current website. We took immediate steps to have those files removed, and we received confirmation today that all files were taken down from the third-party site. We also immediately notified those persons impacted. General attendee information was not affected in this situation," the ESA said.
"We are working with our partners, outside counsel, and independent experts to investigate what led to this situation and to enhance our security efforts. We are still investigating the matter to gain a full understanding of the facts and circumstances that led to the issue."