author: Konrad Serafinski
E3 Leaks Personal Data of More Than 2,000 Participants
Personal data of over 2,000 E3 2019 participants leaked to the web. The list of victims include journalists, YouTubers and developers. Michal Manka, the editor of our sister website GryOnline, commented on the whole situation and its consequences.
You don't have to explain it to anyone what is the E3 trade fair for the video game industry. The Los Angeles event remains a gaming celebration day, even when the big companies (like Sony) decide not to come. We should remember that the E3 is addressed primarily to industry journalists (in contrast to gamescom, which is much more open to visitors). Unfortunately, this year something went very wrong and personal data of over 2,000 YouTubuers, journalists, creators and guests invited to the event were leaked to the web. How did that happen? I asked one of our colleagues, Michal Manka, whose data (as he was a participant of E3) is currently freely available somewhere on the Internet, for a comment:
ESA's messed up on an unimaginable scale. An unencrypted file with all the contact details of journalists and YouTubers circulates around the web, something like that is virtually guaranteed to be abused. This will have a very bad impact on E3 and many companies and media representatives may not want to share their data next year, and as a result - will not appear at the event.
The E3 fair organizer, Entertainment Software Association (abbreviated ESA) always asks the above mentioned persons to register in order to obtain accreditation. Required data include name, surname, name of the editorial office, e-mail address, telephone number and address of residence. How does the process look like?
The E3 registration process itself is quite simple: we fill in our personal data (including passport data!), information about our employer and add sample content created by us in the last few months. Only then does the verification and acceptance of such a request take place. And although the contact data leak does not contain our passport numbers, I am not sure if this information has not been "secured" equally incompetently.
All personal data were stored in a single text document on the official ESA website. Unfortunately, for some time, anyone who visited the site could download the file without any problems. The case was publicized by Sophia Narwitz, who uploaded a video showing a data leak on her private YouTube account. You can see the material below.
The author of the material contacted ESA before the video was published and informed about the problem. She also let other journalists know. It is worth noting, however, that the problem does not only concern press workers. The file also contained data of analysts, creators and youtubers. after some time ESA deleted the link leading to the file, but it was still available for people who had a direct link or simply could use the cache memory of the page. Eventually, all sensitive data disappeared from the servers and the association apologized for the situation in the private emails, whose content... Well, look for yourselves:
“ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public, We regret this occurrence and are very sorry.
We provide ESA members and exhibitors with a media list on the publisher's password-protected website so that they can invite you (journalists, YouTubers, etc. - editorial note) to press conferences, contact you, and keep you informed about events. For more than 20 years, this has not been a problem. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available.
Once again, we regret this occurrence and have put measures in place to ensure it will not occur again.”
As you can see, the situation is quite dire and the question arises as to whether ESA will get the chance to 'ensure it will not occur again'. Let us recall that the data also concerned European citizens, which means GDPR. There may be long court battles ahead, but how will this affect the fair itself? Michal Manka comments strongly:
The worst case scenario is the end of E3 as we know it. Much depends on how this is decided by law, because we know very well that somebody's going to go to the court with this. In this case, we, too, should not let this slip, especially after the pathetic explanation that ESA sent to the victims.
On behalf of all those whose data have been made public, we hope that they will not fall into the wrong hands. As far as ESA is concerned, we as gamers have to believe that this will not have a negative impact on the event that has been a hallmark of the industry for years, even if recently there has been a discussion about whether publishers still need the E3.