ESA security failures worsen as proof of E3 2018 data leak emerges [Update]

The ESA's week continues to get worse, as proof emerges the lobbying agency exposed data belonging to journalists that attended E3 2018.

Update (8-6-2019)

Following publication of our story, a second source reached out to GameDaily with additional information. They provided evidence to us that they had acquired a copy of the 2018 file in the same way as our initial source. We granted anonmity to protect this individual's career.

Our second source stumbled upon the file in September 2018. They immediately contacted a monitored E3 Expo email address to alert the event staff to the data leak. Our source shared the email, complete with headers, so we were able to verify their claim.

Hello,

I know this is the media address, but I can't find a better address to push this query to.

I work for [company name withheld], as lead developer, and I'd like to disclose that your wordpress install is leaking private information to the public.
This may be a GDPR concern, also.

If you could pass this email to your technical team, or the correct department, that would be excellent.

As per reasonable disclosure guidelines, I'll allow 60 days from the date of this email (2018-09-18) for a reasonable response.

Our source never received a response from E3 staff or the ESA and the lack of response and work responsibilities led them to forget to follow up. Our initial source confirmed to us that the 2018 list was live when they last checked a couple of months ago.

GameDaily sent a follow-up inquiry to the ESA, which did not respond by publish. We'll update should we receive a reply.

Original Story:

The ESA has come under fire for doxing more than 2,000 journalists, content creators, and analysts that attended E3 2019. In the wake of that news, the lobbying agency also revealed it had exposed data relating to the 2004 and 2006 events.

Today, GameDaily was provided proof that the organization also failed to protect the data of those that attended E3 2018 as journalists, content creators, and analysts. Our source, a journalist on the list who has asked to remain anonymous to protect their safety, came upon the list in August 2018 by searching their email address in Google.

This search (and others like it) led to a link to a direct download of the 2018 media list. GameDaily is in possession of the list, provided by our source, and can confirm its authenticity. Our source opted not to contact the ESA or bring it to the public’s attention to minimize harm. Now that the document has been taken down (likely at the same time as the 2004, 2006, and 2019 files), our source was comfortable coming forward.

“After I contacted my attorney, I was given three options: wait for the possibility of actual damages to press charges against the ESA, get everyone riled up and bring attention to it—which would put people at risk, and that was my biggest fear—so a class-action lawsuit could possibly be put together, or tell the ESA to take it down,” they explained to GameDaily in a text conversation. “Telling the ESA about it and having them take it down would mean they wouldn't have to face any consequences, and could brush it under the rug. I didn't want that.”

The document URL indicates that it was uploaded to a WordPress site without any encryption. Anyone with the direct link (or a lucky web search of an email address on the list) could have found it and downloaded it. 

This new information reveals that the ESA’s statement was, at least in part, untruthful. The company said in its email to affected 2019 attendees that, “For more than 20 years, this has never been an issue.” 

“I was absolutely infuriated when the ESA released their statement saying it had never happened before,” our source said. “They lied, knowing what they did, and that's why I decided to bring the evidence to you today.”

GameDaily reached out to the ESA for comment. After providing evidence of our claim, the organization provided a brief statement.

“Our top priority is to win back the trust of our media partners,” an Entertainment Software Association spokesperson told GameDaily via email. “We are working with outside counsel and independent experts to investigate this situation and enhance security efforts to avoid this from happening again.”

The ESA has big questions to answer. The organization has clearly employed sub-standard privacy practices. It has not protected the personal data of media, content creators, and analysts. And the damage may be even worse than we know with this latest information. 

This story was updated on August 6, 2019.

For more stories like this one delivered straight to your inbox, please subscribe to the GameDailyBiz Digest!

Michael Futter is the author of The GameDev Business Handbook, a guide for creating and sustaining an independent video game studio, and The GameDev Budgeting Handbook. He is also the former news editor of Game Informer and has written about business and legal issues and video game industry trends for eight years.

GameDaily Connect Sponsors
Partners