For the ESA, the E3 Data Breach Came at the Worst Possible Time

For media attendees, registering for E3 is easy. The Entertainment Software Association, which organizes the event, requires a full name, physical address, email address, and phone number. The ESA then provides that information to companies exhibiting at the show so they can contact writers and editors for potential appointments. The only people who will have access to these details are those who are doing business with you. In theory.

On August 2nd, YouTuber Sophia Narwitz published a video detailing a startling discovery she made while browsing the E3 website. She found a way to directly access to this personal information for E3 2019 media attendees. Narwitz details in the video how simple it was for the public to obtain this information, explaining that by clicking a link titled “Registered Media List,” she could download a spreadsheet with the information of over 2,000 journalists, analysts, and content creators. Narwitz says she phoned the ESA within 30 minutes of discovering the spreadsheet and, fearing the call wouldn’t be enough, quickly emailed them as well before reaching out to a number of journalists to alert them to the spreadsheet’s availability. While the ESA never responded to her messages, the page was quickly pulled and replaced with a 404 error, which then prompted her upload of the video. Even with the page pulled, the damage had already been done. Cached versions of the site still displayed the downloadable link to the spreadsheet for a short time and backups quickly spread across the Internet, leaving the information forever out in the open.

Shortly after the news went public, the ESA released a short statement: “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.”

The next day, the ESA followed up with a longer statement:

“The Entertainment Software Association (ESA) was made aware yesterday of a website vulnerability on the exhibitor portal section of the E3 website. Unfortunately, a vulnerability was exploited and that list became public. We regret this happened and are sorry…. When we found out, we took down the E3 exhibitor portal and ensured the media list was no longer available on the E3 website. Again, we apologize for the inconvenience and have already taken steps to ensure this will not happen again.”

A few days later, an email was sent to attendees of E3 2004 and 2006 detailing additional data vulnerabilities: “In the course of our investigation, we learned that media contact lists from E3 2004 and 2006 were cached on a third-party internet archive site. These were not files hosted on ESA’s servers or on the current website. We took immediate steps to have those files removed, and we received confirmation today that all files were taken down from the third-party site. We also immediately notified those persons impacted. General attendee information was not affected in this situation.

“We are working with our partners, outside counsel, and independent experts to investigate what led to this situation and to enhance our security efforts. We are still investigating the matter to gain a full understanding of the facts and circumstances that led to the issue.”

But just how much damage can actually be done with the leaked information? A representative at AllClear ID, an identity protection firm, explained to me how those taking advantage of the leak can utilize the small amount of information available to them. “They’d maybe look for information from another breach, or, since they have the phone number, attempt to contact the consumer to get them they to reveal more information so that they can have a complete profile. In general, if it’s only names, phone numbers, and addresses, most of that will primarily be sold for marketing purposes.”

I asked what steps victims of the leak could take in order to help protect their identity. As the AllClear representative explained to me, there aren’t a lot of options. “People always have the right to place what’s known as ‘fraud alert’ on their credit report; that’s simply a notation meaning that creditors need to go through extra verification with regards to issuing credit under the consumer’s name.”

There’s another risk involved with the leak beyond simple identity theft: the safety of its victims. Harassment and threats are an awful part of being in the public eye, which is why many content creators prefer to go by a handle rather than their full name. YouTuber Haedox, one of the thousands affected by the leak, told me he’s suffered from a loss of that anonymity. “I have had messages that have directly threatened me, or have been creepy. As someone who has deliberately chosen to use a pseudonym online, I like to maintain a strict level of privacy. So, this breach has made me very paranoid, and anxious.” He said other victims of the leak share the same anxiety. “As an example, some affected are afraid to stream for fear of swatting, which means they can’t do what they’re passionate about, or make money.” 

After putting out a call on Twitter, Haedox has begun to organize a class action suit for victims of the leak. His efforts have already attracted more than 100 journalists and content creators, as well as the interest of a law firm. “We have evidence of threats [and harassment] against those affected, we have evidence of both the financial and psychological damages this leaked has caused. And we will use this evidence against the ESA.”

In reporting this story, I reached out to the ESA in the hopes of securing an interview. I went back and forth with Dan Hewitt, then the organization’s vice president of communications, over the course of a month. After agreeing to delay publication to allow Hewitt to provide more informed responses, we finally agreed on a date for our interview. When that date arrived, Hewitt requested another delay and did not respond to follow ups asking for an updated timeline. Three days after his last response, news broke that he had left the ESA to join Gearbox Software.

Kara Kelber has now taken over as the ESA’s director of communications and industry affairs. Kelber declined an interview before publication but provided me with a new statement:

“We know we need to earn back and maintain the trust of the community that we value the most. We regret the anxiety and stress this matter has caused for those impacted and their families. We would never want, and never intended, for our media partners’ contact information to be made public. As a premier event, we know E3 must meet the highest expectations in every aspect of its operations.

“Our investigation by outside counsel and independent cybersecurity experts is ongoing to ensure that we have a comprehensive understanding of the incident. As part of this effort, an outside cybersecurity firm, The Crypsis Group, is conducting a thorough audit of this incident as well as a review of our ongoing practices.

“As our investigation continues, we are taking active steps to reduce risks going forward. We are focused on making sure that our data protection practices meet today’s top industry standards. To that end, we are working to enhance our practices related to the E3 registration process with the guidance of outside cybersecurity experts. In addition, we are engaging a new firm to develop and build a new E3 website. And to instill confidence in the new website, we plan to engage in robust testing of the new site’s security before its launch. Moving forward, we also will change our practices in order to collect only the minimum information necessary to complete registration of our media attendees.

“We remain committed to our E3 community and ensuring that E3 2020 is a successful celebration of the video game industry and its fans.”

I wanted to know more about the potential legal ramifications the breach could have for the ESA and consulted with Shaq Katikala, a privacy attorney at Morrison Rothman LLP who has no direct involvement with anything surrounding the data breach. “Victims could sue E3 directly for negligence. Data breach lawsuits are usually challenging because proving damages is challenging; in the E3 breach, the damages appear to be a bit more tangible than the usual because home addresses were leaked,” he said. “The victims presumably have receipts of measures taken to protect themselves from the threats they received.” 

Katikala noted, however, that a class action suit could be a challenge. “To organize a [class action], the plaintiffs must show that the victims suffered similar harms. In the E3 leak, the victims have fairly different damages based on their public profile, threats received, and the data leaked. For example, some victims used their work address. Their damages may be significantly different from another victim who had their home address revealed, has a higher profile, or has existing stalkers. A class action might be possible, but it faces significant hurdles that would likely discourage most class action attorneys.” 

He instead advised that the easiest action to take would be for each victim to report stalking or death threats to police, and that individual victims could personally look into damages against the ESA, “especially if the breach required them to move, hire security, or otherwise spend significant costs. Victims should save any threats received and receipts of any costs expended as a result of this breach to leave their options open.”

With E3 being an international event, there are other legal matters to take into account. Privacy and data breach laws aren’t universal, after all. Last year, the European Union implemented the General Data Protection Regulation, which helps protect its citizens from privacy and data breachers regardless if the companies processing the data are within the EU. But according to Katikala, it’s not clear if the leak actually violated the GDPR. “Article 32 discusses security and requires ‘appropriate technical and organisational measures to ensure a level of security appropriate to the risk.’ Whether it qualifies as a violation depends largely on whether this is understood as a symptom of a systemic failure of their security program or a one-off, temporary accident.” He clarified that because the GDPR doesn’t enable class actions, and because so few EU citizens are affected, he’d be surprised if the European authorities brought action.

Katikala raises a good point: Some victims of the leak registered with their work information rather than their own personal information. Weighing in on the issue, Wedbush Securities analyst Michael Pachter said, “I don’t think the breach was a big deal at all. ESA has my work address, work phone, and my work email. They might have my cell, but I’m not sure. They don’t have my birthdate, driver’s license or social security number, although they required a driver’s license as ID.” He continued, “It’s only those dumb enough to have listed personal details who might be worried, and I don’t think there are many of them. Even so, it’s hard to imagine someone showing up at my house because they don’t like my stock recommendations.”

When I asked Pachter if he felt safe registering for next year’s E3, he said he did. “I feel unsafe applying for a credit card,” he added.

Pachter may have reason to feel safe about the leak, but his circumstances differ from those of freelancers and content creators who don’t have any business address to use. In the past decade, gaming culture has witnessed high-profile SWATting incidents—including at least one that resulted in a fatality—as well as coordinated harassment campaigns. For many public figures in the industry, death threats are an all-too-familiar routine. Journalists and content creators alike deal with this harassment, and both women and those in marginalized communities are particularly at risk.

Haedox, as an independent creator, dismissed Pachter’s take on the events. “It’s a bit closed-minded to think that way. All of the information I provided was confidential and personal. Regardless, I feel as if that mindset is shifting the focus of what those affected are truly upset about. Much of the information, even the business addresses and such, was NOT publicly available. It shouldn’t matter about the content of the information when the information itself was confidential. It should not have been leaked at all.” 

It remains to be seen if the breach will bring any legal repercussions for the ESA. But lawsuits may not be the most important consequence of the story. As the show’s relevance is called into question by more and more critics with each passing year, the rise of broadcasts like Nintendo Direct and Sony’s State of Play—which allow platform holders to make announcements on their own terms and schedules—have only exacerbated the problem. After this year’s E3, attendance is also a concern.

Attendance at E3 2019 was markedly down over the previous year’s, with 3,000 fewer people showing up at the Los Angeles Convention Center. Out of the 200 exhibitors, only a quarter of that were new to the show, compared to the 85 first-time exhibitors at E3 2018. Likewise, major companies continue to show a dwindling interest in the show. EA continued to host its own off-site event, EA Play, in Hollywood the weekend before the show, Activision opted for a smaller physical presence, not its traditional massive booth on the show floor. Sony skipped the show entirely.

Shawn Layden, the recently departed chairman of Sony Interactive Entertainment, explained to CNET in February that the company would be skipping E3 2019 because “the trade show became a trade show without a lot of trade activity. The world has changed, but E3 hasn’t necessarily changed with it.” Layden highlighted Sony’s own “Destination Playstation” trade event in February for retailers and third-party partners, saying that it gives retailers the chance to hear Sony’s year in advance and to begin Christmas holiday discussions—a big edge over E3’s mid-June dates.

The ESA seems well aware of the troubles facing the show. Last month, GameDaily reported on a leaked pitch deck featuring the video game trade group’s proposals for completely overhauling the format of E3, with the show now leaning into “experiences” with influencers and celebrities. “E3 was a [business-to-business] retail event, but no longer. We listened, heard, and evolved,” reads one of the pitch’s slides. This new E3 would be a “fan, media, and influencer festival,” allowing exhibitors to create “exclusive/appointment only activations for select attendees who will create buzz and FOMO.”

The motives for such a drastic rebranding are obvious.  But while giving the public a chance to interact with celebrities and influencers to create FOMO may seem like a savvy way to inject new life into the event, the proposal might not be enough to keep the interest of many companies. A lack of trade activity is already causing notable absences, and such an intense restructuring of the show’s initial purpose might lead to even more companies reassessing their involvement.

Uncertainty has surrounded E3 for years now, and as the show struggles with its identity, the future grows less and less clear. The data breach may be tame in comparison to the larger leaks at other organizations that have made headlines in recent years, both in the number of victims and in the nature of the personal information made public. But it’s undoubtedly bad PR at a time when the ESA is already struggling to define E3’s place in the industry. That the company seems to understand the impact on those affected by the breach is a promising, as is the dedication to increased website security. The investigation may still result in more concrete action, as well.

But Haedox, at least, seems unconvinced for now. I asked him if the ESA could do anything to build back the trust of the leak’s victims, and it was clear he was upset with organization’s initial handling of the breach, and found the first public responses to be hollow. “Their first statement showed a clear lack of respect to those affected,” he told me. “They didn’t take responsibility for their mistakes or even offer any assistance to those affected. They did nothing to make this situation right. I don’t know if the ESA can ever build back the trust of those affected. I didn’t even attend E3 and I was dragged into this storm of negligence. Personally, I will never trust the ESA with any data of mine again.”

Header image courtesy of the ESA.