E3 organiser The Entertainment Software Association (ESA) has apologised to journalists and influencers affected by a major leak of personal data, ahead of potential legal action.
Up until the evening of Friday, August 2 anyone with the correct URL could access a list of personal details belonging to over 2,000 members of the media who attended E3 2019 in June, including their home addresses and phone numbers.
The link has since been taken offline and the ESA has sent an email to those affected by the leak, apologising for what it called “a website vulnerability”.
“The Entertainment Software Association (ESA) was made aware yesterday of a website vulnerability on the exhibitor portal section of the E3 website,” the statement reads. “Unfortunately, a vulnerability was exploited and that list became public. We regret this happened and are sorry.”
The message goes on to explain that the details on the leaked list are intended to be used by ESA members and exhibitors, so they can invite media to their events and arrange interviews.
“For more than 20 years there has never been an issue,” it adds. “When we found out, we took down the E3 exhibitor portal and ensured the media list was no longer available on the E3 website. Again, we apologize for the inconvenience and have already taken steps to ensure this will not happen again.”
As a result of the leak, the ESA could find itself the subject of civil lawsuits or worse.
Attorney Stephen McArthur, founder of The McArthur Law Firm, told GameDaily that although the ESA does not use the word “breach” in its public statement, the law will likely view this issue as such.
“The difference between a vulnerability and a breach is that a vulnerability is just the potential for a breach,” he explained.
“They are basically saying, ‘There existed the opportunity for someone to… access the data, but there is no evidence anyone did that’. So, they would be saying there is no evidence anyone that was unauthorized ever actually visited the leak and viewed the data.”
Shaq Kalaka, a privacy lawyer at Morrison Rothman, suggested that a class action lawsuit might be considered, due to the harassment that will likely result from the leaked personal information.
“The E3 data breach is one of the strongest cases I’ve seen for a class action involving location data,” he wrote. “Data breach class actions are usually hard to bring, but this involves some unique circumstances.
“Most breach cases get dismissed because it’s hard to show concrete harm. But with E3, the failure to safeguard home addresses predictably resulted in journalists getting death threats and having to take efforts to protect their physical safety.
“The failure to safeguard home addresses predictably resulted in journalists getting death threats and having to take efforts to protect their physical safety.”
“It highlights the sensitive nature of location data and the fact that they are journalists greatly exasperates the dangers. I’ve always advocated for strong protections of location, especially home addresses, as this data tangibly puts lives and sometimes national security at risk. Would be a case to plant important precedent.
“That said, it’s still very hard to bring these cases for a number of procedural reasons, harder to win. And with only 2k affected, it would essentially be pro bono for a firm to take it on, especially if it didn’t settle early. We’ll see what happens.”
Since the leaked list contains the information of journalists from Europe, the ESA could also be subject to a fine for breaching the EU’s General Data Protection Regulation (GDPR) rules.
GDPR breaches carry a maximum fine of €20 million or 4% of net revenue, whichever is greater. However, given that the ESA does not have an EU presence, enforcement of GDPR penalties may be difficult.
“If… reports are correct that E3 attendee data was simply being stored in an open spreadsheet which anyone with a link could access, this would not look good for the ESA,” Peter Lewin of UK law firm Purewal and Partners told GameDaily.
“The number of individuals affected, the type of information leaked and the appropriateness of the security measures in place at the time of a breach are some of the factors that would be taken into account.
“All of this said, it’s still unclear how—if at all—the GDPR would practically be enforced against an entity without an EU-headquarters like the ESA. This represents one of the significant limitations of GDPR.”