E3 (the Electronic Entertainment Expo) is one of the biggest events in the calendar for video gaming – but it’s recently been revealed that a data breach at this year’s event left data exposed for over 2000 people.
This E3 data breach came as a result of a spreadsheet that was published on the event’s website and made publicly available.
As reported by Kotaku:
The Entertainment Software Association, the organization that runs E3, has since removed the link to the file, as well as the file itself, but the information has continued to be disseminated online in various gaming forums. While many of the individuals listed in the documents provided their work addresses and phone numbers when they registered for E3, many others, especially freelance content creators, seem to have used their home addresses and personal cell phones, which have now been publicized. This leak makes it possible for bad actors to misuse this information to harass journalists. Two people who say their private information appeared in the leak have informed Kotaku that they have already received crank phone calls since the list was publicized.
You can read Kotaku’s full report on the story here: https://kotaku.com/e3-expo-leaks-the-personal-information-of-over-2-000-jo-1836936908
While the ESA moved quickly to plug this breach and limit the danger to users, they made a crucial mistake. They deleted the page containing the link to the spreadsheet – but after the story broke in the news, it was found that the spreadsheet itself was still accessible.
This E3 data breach could potentially be very costly for ESA. With journalists attending the event from all over the world, they could find themselves subject to investigations and penalties under multiple different data protection laws, including GDPR.
Kotaku also updated their report to note that ESA provided the following statement:
In the course of our investigation, we learned that media contact lists from E3 2004 and 2006 were cached on a third-party internet archive site. These were not files hosted on ESA’s servers or on the current website. We took immediate steps to have those files removed, and we received confirmation today that all files have either been taken down or are in the process of being removed from the third-party site.
We are working with our partners, outside counsel, and independent experts to investigate what led to this situation and to enhance our security efforts. We are still investigating the matter to gain a full understanding of the facts and circumstances that led to the issue.
But with the data already out there, the damage has likely already been done.
Contact us straight away if you’re concerned about the possibility of a data breach at your organisation. Under GDPR, the fines can be severe: up 20 20 million euros or 4% of annual turnover per breach!