Skip to main content

ESA's massive E3 privacy breach simply shouldn't go unpunished

E3 2019 sign
E3 2019 sign (Image credit: Martin Garcia/ESPAT Media/Getty)

Nearly 2,000 gaming industry folks woke up this past weekend to news of a massive data leak from the organization behind the E3 gaming conference. Everyone who registered with the Entertainment Software Agency (ESA) as a member of the press, YouTuber, Influencer, or streamer had all that registration information made publicly available. While the ESA acted relatively quickly to remove the information, the data had already been downloaded and reshared.

The worst news by far, however, is how few consequences it seems like there will be for the ESA after having allowed such an egregious violation of trust to take place. Its sad apology letter didn't help either.

How did ESA's E3 privacy breach unfold?

Mixer @ E3

Mixer @ E3 (Image credit: Windows Central)

When you register for any tech or gaming event, there's a fairly significant exchange of information. Mailing addresses, phone numbers, and occasionally an emergency contact is requested when applying for access to these events. In some cases, you're not just sharing your information but also that of your editor to confirm you're actually applying to attend the event to do work instead of just play games or get a free pass to a paid event.

For many events, this information is shared with the businesses that will also attend. Doing so allows those businesses to contact press members and invite them to either see things under embargo or get a private tour of their booths before everyone else. This gives the media the ability to get photos and videos without a crowd, which makes it easier to share the experience with everyone not attending the event. This is all fairly standard, and there's usually a checkbox confirming that you're OK with receiving pitches from companies in attendance.

If you attended E3, your personal info is likely out there for the world to see.

The ESA gathered all of these registrations into a single document and had that document on its website in a file labeled "Registered Media List." This document was available to anyone with a web browser. In other words, anyone could download this info and explore it, which is exactly what YouTuber Sophia Narwitz did when she showed the world what the ESA had done.

For an organization that claims on its website to be "visionaries redefining the business and creative boundaries of entertainment," the ESA demonstrated some fairly stone age data privacy and web access practices.

This isn't something that only happened once.

Using the Wayback Machine and other tools, similar documents from previous E3 registrations have been unearthed. Put simply, if you attended E3 since the internet has been a thing, there's a good chance your personal information is out there for the world to see. And that sucks.

Since the data has been made public, gaming industry folks have found themselves in difficult situations. I've seen friends lock their Twitter accounts and change their phone numbers thanks to a nearly endless wave of personal attacks. Many are concerned about the return of practices like "SWATing" if they say something a person on the internet doesn't like, while others are afraid of good old fashioned credit card scams thanks to the personal information now publicly available. How did the ESA respond to these concerns?

From the response ESA sent to the affected:

ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.

That's it. It regrets exposing nearly 2,000 people, the folks invited to attend an event it makes heaps of money from each year. E3 is, and has been for many years, the game conference in the U.S. It's where the largest companies in the gaming world create massive spectacles that keep viewers at home glued to their phones for an entire week. Regardless of how the company handled this incident, people who write about games for a living have little choice but to attend future events, even though ESA seems to have little to no concern for their safety or well being.

Very few consequences for ESA and E3

Project Scarlett

Project Scarlett (Image credit: Windows Central)

While some folks outside the U.S. are having a conversation about a possible lawsuit against the ESA for this breach, the sad truth is there's little to be done. Many have changed their phone numbers, but home addresses were also leaked, and it's not like most of the people attending this event can just up and move house. There are no legal consequences in the U.S. for this kind of thing, both because you agree to share that information when you sign up and because the U.S. government doesn't seem interested in pursuing this in any sort of regulatory or legal sense.

To be clear, this isn't like a financial data breach, where there are protections in place and legal consequences. This happened, and outside of the promise from the ESA to not do it again, there's no way to guarantee it won't happen again. Or punishment if it does.

It shouldn't take a catastrophic incident for any organization to care about privacy.

ESA says, "we are the video game industry," but it is clearly mishandling this incident. While all of this is happening, the organization gets to act as though it's the hero when it comes to things like console manufacturers rolling out united policies on loot boxes. If a data breach like this had happened to people registered for an Xbox event, the ESA would be involved in the process of ensuring it never happened again. There would be a strongly-worded blog post on the ESA website about how Microsoft would implement new policies to ensure it doesn't happen again. But the reverse is not happening; there will be no public pressure from the biggest names in the industry to ensure the ESA takes care of the people who attend its event in a journalistic or promotional effort.

It's unlikely we've heard the end of this particular story. If a lawsuit happens to make it beyond a private settlement, it probably won't have any lasting consequences. The ESA could have offered anything, from a personal apology to the people it exposed to basic credit monitoring services, and that would have been an order of magnitude more impactful than what it actually did. In the end, nothing will have really changed.

It really shouldn't take a catastrophic incident for an organization to care about the privacy and safety of the people it serves and works with. For now, there is not much else the affected can do but hope this particular breach won't result in one.

Russell is a tech nerd who chases the best of everything, from phones to game consoles to laptops and everything glowing or beeping. He's the Managing Editor of gaming content for Mobile Nations and can be found contributing to all of the Mobile Nations sites. Reach out on Twitter!

3 Comments
  • Holy Moly. Goes to show what happens when a data breach of this scale happens when there are zilch in basic consumer regulations and data protections. If this occured in the EU they were would have been hell to pay but since it happened in the US, ESA gets away with a meh statement. Also the ESA saying that "we are the video game industry," is wholly inaccurate as it's the people from the fans, the event attendees, the studios, the special booth makers and the people who work behind the scenes at venues are the video game industry NOT the ESA.
  • My Information got out from 2 of 3 data leaks. Changed phone carrier and multi authenticated all my emails and protecting my home address is just.. How?. Stupidist thing is, where do people in the US report this too, so far only UK has something for it. It's absolute nuts.
  • Not just the UK, but the EU GDPR policy is far more stringent than the Data Protection Act in the UK for example and requires companies to ensure that they mechanisms in place to safeguard data. Companies have until next year so to ensure they have mechanisms in place to ensure they are compliant otherwise there is a fine. One such mechanism is that each company must have an appointed Data controller, who is tasked in over seeing the safeguard measures that are both enforced and implemented. One aspect of EU GDPR policy is not up for discussion as how client data is dealt with on personal device when an employee leaves employment; the employer must witness the now former employee delete the data off their phone which usually means they have to factory reset their device. Also under this policy it also mandates that all individuals have to right to privacy on the internet.