E3 organization leaks data for over 2,000 journalists and analysts
Up until yesterday, however, that list was accessible anyone who clicked on a button on the ESA website, as first spotted by YouTube creator Sophia Narwitz. Since then, The ESA has removed the spreadsheet from its site. But it did not do that before other people were able to download it. At this point, it’s impossible to tell who has the list.
This failure to adequately secure sensitive data doesn’t just expose games journalists. I’ve confirmed with someone who has access to the list (with the ESA’s permission) that it contains info for YouTube creators, Wall Street financial analysts at firms like Wedbush and Goldman Sachs, and Tencent employees.
The ESA’s reaction to the E3 data leak
This puts the ESA in a tough spot. I reached out to the organization, and it provided the following statement from a spokesperson:
“ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this this occurrence and have put measures in place to ensure it will not occur again.”
While this breach could expose people to certain threats, it could also hurt the ESA’s bottom line. Companies pay the organization a lot of money to show up to E3. And part of the reason the trade show is worth that price is because the group has a spreadsheet with the contact info for popular YouTubers and influential media personalities. If people are more hesitant to share that data at E3 2020, suddenly the show is potentially less valuable to attending developers and other companies.
The ESA website was likely also accessible from Europe, and it contained info for European members of the press. That could turn this into a GDPR (General Data Protection Regulation) issue. That is the EU regulatory framework that obliges any company that collects data to meet certain assurances of security.
The maximum fine for a GDPR violation is 20 million euros.