Over the last week, a major data leak occurred within the ESA that threatened the safety of thousands of people. Games journalists, game industry employees, and analysts within the industry all had their personal details leaked online in one of the biggest data breaches in recent memory within the gaming industry. Names, personal addresses and phone numbers of a variety of people have leaked online.
And in even more bad news, the data caches also contained other data as well, and the volume and type of data is quite unexpected. For one thing, data dating all the way back to 2004 was included in the breach. What’s more is that people from all over the world were affected, including some people in Europe.
The entire leak was down to a rather stupid mistake. A link on the ESA site, the company that hosts E3, led to a spreadsheet containing literally thousands of entries, all of which were the names, phone numbers and home addresses of thousands of game journalists. Anyone wishing to interact with the ESA, say to attend press events, had to submit contact information to the organization in order to be given invites, press passes and other things. But for some reason, the spreadsheet containing all of this was published on a publicly accessible server.
This data was quickly discovered, and then leaked online. It’s impossible to guess how many people have access to the information, but the effect has been almost immediate, as multiple people on said list have allegedly received threats against them. Take this as a lesson everyone, don’t store any type of personal data on a web server in an unencrypted and publicly accessible form.
This alone is enough to bill this whole kerfuffle as a major screwup, but it only gets worse from here. The ESA will likely face a GDPR violation suit; the maximum fine for which is €20 million.
The ESA quickly responded and removed the data, as well as connected caches of older versions of the data on third-party sites. In a statement to VentureBeat, the group had the following to say on the issue and their response:
“ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.
We are working with our partners, outside counsel, and independent experts to investigate what led to this situation and to enhance our security efforts. We are still investigating the matter to gain a full understanding of the facts and circumstances that led to the issue.”
And on the breadth of data leaked, the ESA had the following to say in a press email:
“In the course of our investigation, we learned that media contact lists from E3 2004 and 2006 were cached on a third-party internet archive site. These were not files hosted on ESA’s servers or on the current website. We took immediate steps to have those files removed, and we received confirmation today that all files have either been taken down or are in the process of being removed from the third-party site.”
So though the ESA did the only thing it could and tried to contain the leak, people are justifiably really angry. There will be a very difficult uphill battle for the group as they try to recover from this and avoid debilitating fines. It’s also worth mentioning the damage to consumer and public confidence invested into E3 and the ESA has all but evaporated. Some online are even calling for a class-action lawsuit over the breach, although there’s been little news on that particular front.
One thing that’s for sure though, a lot less people will be willing to attend and support E3 in 2020. So as companies like Sony completely abandon the event, there’s a rather strong chance that the lineup for next year is about to shrink even more.