Last weekend, we learned that the Electronic Software Association, the US’s biggest video game lobby backed by some of the biggest companies in the industry, was responsible for a nasty E3 data breach that exposed personally identifying information for over 2000 journalists, exhibitors, investors, and analysts related to this year’s convention. A YouTuber exposed the fact that the ESA had left a document with the detailed PID on its webserver, accessible to the public; though the ESA apparently pulled the file upon being notified, the PID was still accessible through caching archives, which meant the vlogger further exposed it with the video report and heavily amplified the breach.
Following the revelation, the ESA made a statement claiming that the breach was the result of a website “vulnerability” that was “exploited” and “became public” (passive tense, no subject, no direct responsibility taken). “The Entertainment Software Association (ESA) was made aware yesterday of a website vulnerability on the exhibitor portal section of the E3 website. Unfortunately, a vulnerability was exploited and that list became public. We regret this happened and are sorry,” the lobby wrote. “For more than 20 years there has never been an issue. When we found out, we took down the E3 exhibitor portal and ensured the media list was no longer available on the E3 website.”
But now it appears that wasn’t quite true. Just a few days later, it became clear that databases from 2004 and 2006 had also been publicly cached on another archive website, with over 6000 people (likely with some overlap) exposed.
And last night, we learned that 2018’s database was also affected. GameDaily’s Mike Futter, who’s been all over this story, now has multiple sources (and the file itself) demonstrating that a leak of the 2018 dataset occurred too. In fact, one of the sources, a game developer, notified E3 organizers in September 2018 about the accessibility of those personal data, but the ESA never responded, and the data were still accessible as recently as “a couple of months ago.” Yikes.
“After I contacted my attorney, I was given three options: wait for the possibility of actual damages to press charges against the ESA, get everyone riled up and bring attention to it—which would put people at risk, and that was my biggest fear—so a class-action lawsuit could possibly be put together, or tell the ESA to take it down,” one source told GameDaily. “Telling the ESA about it and having them take it down would mean they wouldn’t have to face any consequences, and could brush it under the rug. I didn’t want that.”
If you’re currently wondering whether these data were leaked every year and not just the ones folks have found so far, you’re not alone. If you’re currently wondering when the lawsuits will begin and whether we’ll be covering this for years to come, you’re not alone there either.