If you attended the Electronic Entertainment Expo with a media ID this year, it's possible that some of your sensitive information is now public. Every year, the Entertainment Software Association distributes hundreds of "press passes" to certain press representatives. To get one of these badges, I've given my name, phone number, home address and more to the organization for the past half-decade every year. This information flows into a table that ESA distributes to its member companies. This makes it easier for these companies to invite the press to E3 events and meetings.
Until yesterday, however, this list was accessible to anyone who clicked on a button on the ESA website, as first discovered by YouTube creator Sophia Narwitz. Since then, ESA has removed the table from its website. But that did not do it before others could download it. At this time it is impossible to tell who has the list.
This failure to adequately secure sensitive data is not only revealing to gamewriters. I have verified with someone who has access to the list (with the permission of ESA) that it contains information for YouTube creators, Wall Street financial analysts from companies such as Wedbush and Goldman Sachs, and Tencent employees.
The ESA response to the E3 data leak
This presents ESA with a difficult task. I contacted the organization and made the following statement by a spokesperson:
"ESA was alerted to a site vulnerability that resulted in the list of registered journalists who attended E3 being published. Once we have been notified, we have immediately taken steps to protect this information and close the page that is no longer available. We regret this incident and have taken steps to ensure that it does not recur.
This violation could expose people to specific threats, but could also affect the final outcome of the ESA. Companies pay the organization a lot of money to show up at E3. One reason the fair is worth the price is that the group has a table of contact information for popular creators and influential media personalities. If people are reluctant to share this data at E3 2020, the show is suddenly becoming less valuable to developers and other businesses.
The ESA website was also likely to be accessible from Europe and contained information for European press. This could become a GDPR (General Data Protection Regulation) question. This is the EU legal framework that obliges any company collecting data to fulfill certain safety assurances.
The maximum penalty for a violation of the GDPR is 20 million euros.