Nearly 2,000 gaming industry folks woke up this past weekend to news of a massive data leak from the organization behind the E3 gaming conference. Everyone who registered with the Entertainment Software Agency (ESA) as a member of the press, YouTuber, Influencer, or streamer had all that registration information made publicly available. While the ESA acted relatively quickly to remove the information, the data had already been downloaded and reshared.
The worst news by far, however, is how few consequences it seems like there will be for the ESA after having allowed such an egregious violation of trust to take place. Its sad apology letter didn't help either.
How did ESA's E3 privacy breach unfold?
When you register for any tech or gaming event, there's a fairly significant exchange of information. Mailing addresses, phone numbers, and occasionally an emergency contact is requested when applying for access to these events. In some cases, you're not just sharing your information but also that of your editor to confirm you're actually applying to attend the event to do work instead of just play games or get a free pass to a paid event.
For many events, this information is shared with the businesses that will also attend. Doing so allows those businesses to contact press members and invite them to either see things under embargo or get a private tour of their booths before everyone else. This gives the media the ability to get photos and videos without a crowd, which makes it easier to share the experience with everyone not attending the event. This is all fairly standard, and there's usually a checkbox confirming that you're OK with receiving pitches from companies in attendance.
If you attended E3, your personal info is likely out there for the world to see.
The ESA gathered all of these registrations into a single document and had that document on its website in a file labeled "Registered Media List." This document was available to anyone with a web browser. In other words, anyone could download this info and explore it, which is exactly what YouTuber Sophia Narwitz did when she showed the world what the ESA had done.
For an organization that claims on its website to be "visionaries redefining the business and creative boundaries of entertainment," the ESA demonstrated some fairly stone age data privacy and web access practices.
This isn't something that only happened once.
Using the Wayback Machine and other tools, similar documents from previous E3 registrations have been unearthed. Put simply, if you attended E3 since the internet has been a thing, there's a good chance your personal information is out there for the world to see. And that sucks.
Since the data has been made public, gaming industry folks have found themselves in difficult situations. I've seen friends lock their Twitter accounts and change their phone numbers thanks to a nearly endless wave of personal attacks. Many are concerned about the return of practices like "SWATing" if they say something a person on the internet doesn't like, while others are afraid of good old fashioned credit card scams thanks to the personal information now publicly available. How did the ESA respond to these concerns?
From the response ESA sent to the affected:
ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.
That's it. It regrets exposing nearly 2,000 people, the folks invited to attend an event it makes heaps of money from each year. E3 is, and has been for many years, the game conference in the U.S. It's where the largest companies in the gaming world create massive spectacles that keep viewers at home glued to their phones for an entire week. Regardless of how the company handled this incident, people who write about games for a living have little choice but to attend future events, even though ESA seems to have little to no concern for their safety or well being.
Very few consequences for ESA and E3
While some folks outside the U.S. are having a conversation about a possible lawsuit against the ESA for this breach, the sad truth is there's little to be done. Many have changed their phone numbers, but home addresses were also leaked, and it's not like most of the people attending this event can just up and move house. There are no legal consequences in the U.S. for this kind of thing, both because you agree to share that information when you sign up and because the U.S. government doesn't seem interested in pursuing this in any sort of regulatory or legal sense.
To be clear, this isn't like a financial data breach, where there are protections in place and legal consequences. This happened, and outside of the promise from the ESA to not do it again, there's no way to guarantee it won't happen again. Or punishment if it does.
It shouldn't take a catastrophic incident for any organization to care about privacy.
ESA says, "we are the video game industry," but it is clearly mishandling this incident. While all of this is happening, the organization gets to act as though it's the hero when it comes to things like console manufacturers rolling out united policies on loot boxes. If a data breach like this had happened to people registered for an Xbox event, the ESA would be involved in the process of ensuring it never happened again. There would be a strongly-worded blog post on the ESA website about how Microsoft would implement new policies to ensure it doesn't happen again. But the reverse is not happening; there will be no public pressure from the biggest names in the industry to ensure the ESA takes care of the people who attend its event in a journalistic or promotional effort.
It's unlikely we've heard the end of this particular story. If a lawsuit happens to make it beyond a private settlement, it probably won't have any lasting consequences. The ESA could have offered anything, from a personal apology to the people it exposed to basic credit monitoring services, and that would have been an order of magnitude more impactful than what it actually did. In the end, nothing will have really changed.
It really shouldn't take a catastrophic incident for an organization to care about the privacy and safety of the people it serves and works with. For now, there is not much else the affected can do but hope this particular breach won't result in one.