The ESA’s 2019 E3 journalist database breach wasn’t at all a one-time thing

    
8

Last weekend, we learned that the Electronic Software Association, the US’s biggest video game lobby backed by some of the biggest companies in the industry, was responsible for a nasty E3 data breach that exposed personally identifying information for over 2000 journalists, exhibitors, investors, and analysts related to this year’s convention. A YouTuber exposed the fact that the ESA had left a document with the detailed PID on its webserver, accessible to the public; though the ESA apparently pulled the file upon being notified, the PID was still accessible through caching archives, which meant the vlogger further exposed it with the video report and heavily amplified the breach.

Following the revelation, the ESA made a statement claiming that the breach was the result of a website “vulnerability” that was “exploited” and “became public” (passive tense, no subject, no direct responsibility taken). “The Entertainment Software Association (ESA) was made aware yesterday of a website vulnerability on the exhibitor portal section of the E3 website. Unfortunately, a vulnerability was exploited and that list became public. We regret this happened and are sorry,” the lobby wrote. “For more than 20 years there has never been an issue. When we found out, we took down the E3 exhibitor portal and ensured the media list was no longer available on the E3 website.”

But now it appears that wasn’t quite true. Just a few days later, it became clear that databases from 2004 and 2006 had also been publicly cached on another archive website, with over 6000 people (likely with some overlap) exposed.

And last night, we learned that 2018’s database was also affected. GameDaily’s Mike Futter, who’s been all over this story, now has multiple sources (and the file itself) demonstrating that a leak of the 2018 dataset occurred too. In fact, one of the sources, a game developer, notified E3 organizers in September 2018 about the accessibility of those personal data, but the ESA never responded, and the data were still accessible as recently as “a couple of months ago.” Yikes.

“After I contacted my attorney, I was given three options: wait for the possibility of actual damages to press charges against the ESA, get everyone riled up and bring attention to it—which would put people at risk, and that was my biggest fear—so a class-action lawsuit could possibly be put together, or tell the ESA to take it down,” one source told GameDaily. “Telling the ESA about it and having them take it down would mean they wouldn’t have to face any consequences, and could brush it under the rug. I didn’t want that.”

If you’re currently wondering whether these data were leaked every year and not just the ones folks have found so far, you’re not alone. If you’re currently wondering when the lawsuits will begin and whether we’ll be covering this for years to come, you’re not alone there either.

Source: GameDaily

8
LEAVE A COMMENT

Please Login to comment
  Subscribe  
newest oldest most liked
Subscribe to:
MurderHobo
Reader
MurderHobo

the vlogger further exposed it with the video report and heavily amplified the breach

There sounds like an interesting opinion piece in this, perhaps an opportunity to teach vloggers a bit about actual ethics in game journalism. There’s also a lesson for ESA management regarding the state of their infrastructure, as well as a lesson for all of us about this new digitally-integrated reality we’re entering.

Out of so many sci-fi near-future scenarios, I guess I underappreciated cyberpunk.

Mordyjuice
Reader
Mordyjuice

Nothing to see, just a new showcase for the next generation of monetization.

Reader
Patreon Donor
Kickstarter Donor
Loyal Patron
agemyth 😩

See you next year!

3547989-image from ios.jpg
Reader
silverlock

and remember we know where you live!

Godnaz
Reader
Godnaz

(passive tense, no subject, no direct responsibility taken)

When “Sorry, we messed up.” is too difficult to say, even privately to your clients, there is a serious integrity problem with the people who run ESA. Jim Sterling, Yang amongst other industry chats are saying that they will no longer be attending events operated by ESA.

Yikes

Very much Yikes.

Reader
silverlock

As much as I hate to make any sort of excuse for these clowns it should be pointed out saying sorry equals admitting fault which has potential legal ramifications.

Still they are so clearly at fault that saying sorry at this point would probably work more in their favor then against.

Reader
Kickstarter Donor
Greaterdivinity

I feel so bad for the media dealing with harassment as a result of this, it’s garbage of the highest order. Even for those that aren’t, that’s a lot of personal information that’s out in the wild now which is stressful enough.

ESA has done goofed…hard, and it will take a long time to rebuild that trust, if they ever can. This is a massive privacy screwup, especially since so many media use personal info rather than business info on the list. I can’t imagine media are going to be excited filling out their personal information for E3 next year (lots of business info, I imagine)…and now I’m wondering if any of the industry or public attendee lists were accessible…

Reader
Schmidt.Capela

When the group that protects the interests of and handles lobbying for all the MMO publishers deals with privacy and data security in such a disastrously lazy way, and for that gets no pushback from its members, it becomes quite hard to believe said members will treat the personal data we submit to them with the necessary care.

Edit: sorry about posting it as a reply, I clicked in the wrong place.