
E3 accidentally leaks personal details of journalists, YouTubers and analysts - Kye
https://www.gamesindustry.biz/articles/2019-08-03-e3-accidentally-leaks-personal-details-of-journalists-youtubers-and-analysts
======
SeanBoocock
Might be more accurate, despite this being the headline, to change the title
to “ESA accidentally leaks...”. The ESA is the trade organization that puts on
E3 and the entity that is ultimately responsible for this.

~~~
Kye
While true, the leak was of a list of E3 attendees. The fact that it was of E3
attendees is the key fact. I tried different ways to fit ESA in while
maintaining specificity, but all variations came out too long.

ESA instead of E3 wouldn't necessarily tell E3 attendees their information was
leaked since not everyone knows the ESA puts it on. Personally, I've been
around games all my life and had no idea.

Headlines are always a compromise. I think the author found a good one.

~~~
SeanBoocock
Definitely, just want to highlight the ESA as the organization responsible for
people who might not be as familiar with the space.

------
shakna
> The private details of 2,025 games industry journalists and video producers
> have been leaked online.

Leaking the details of a couple thousand people isn't just a regret. Hopefully
as more details come forward ESA actually makes an effort to clean up their
mess.

~~~
dleslie
Worse, it's being alleged that they've known the information was publicly
accessible for months now.

[https://mobile.twitter.com/SophNar0747/status/11574576722219...](https://mobile.twitter.com/SophNar0747/status/1157457672221995009?s=19)

[https://mobile.twitter.com/SophNar0747/status/11574925673799...](https://mobile.twitter.com/SophNar0747/status/1157492567379972096?s=19)

------
falcolas
Given the hate and threats video game journalists and YouTubers already get, I
can’t imagine this will have a happy ending.

There was recently an incident of a FFXIV streamer being doxed and his (and
his children’s) lives threatened for their stance on the latest FFXIV raids.
There are some real psychopaths out there.

~~~
akhilcacharya
Are there any other enthusiast groups that are this toxic? I stopped
associating with the hobby after GamerGate but in retrospect I should have
stopped earlier.

~~~
larsiusprime
Sports? Arguably massively more toxic. People being murdered over sporting
events is a truly ancient phenomenon and even destabilized empires clear back
into ancient times (Nearly Half of Constantinople was burned down to the
ground in the Greens vs Blues Nika riots).

~~~
islanderfun
Very good comparison and similarities can be drawn between the target
audience. Unfortunately gaming sees deaths too with swatting and what not

~~~
larsiusprime
If you want to draw a rigorously serious comparison you need to mathematically
compare audience sizes and base rates. Don't know how it shakes out but my
money is definitely on sports, if for no other reason than that video game
fans don't congregate in huge arenas with heavy drinking as often as sports
fans do

~~~
islanderfun
Completely agree. Though I can see a future where gaming gives it
"competition" in this area. Especially with esports on the rise. Multi million
dollar prizes and loyalties forming around these teams.

------
slang800
Does anyone know the technical details of how this happened? Did someone just
run a spider on the e3expo.com site and find the publicly accessible URL that
way, or did they do something more advanced?

~~~
hello_asdf
There was a direct link to the excel file on the "Helpful Links" page of the
E3 Expo site.

~~~
pbhjpbhj
The OP says:

>"Unfortunately, a vulnerability was exploited and that list became public."
//

If it was just a link to a file on the website them claiming a vulnerability
was exploited is like saying "my security system was overcome" if I dropped my
wallet on the bus.

~~~
eswat
Based on the ESA statement it’s probably a case of hanlon's razor where they
have nobody on-staff to do a proper incident response. They also said they
“shut down the site”, which really meant they removed/hidden the page in
WordPress but they didn’t remove the culprit file nor did they take down the
E3 website.

------
CM30
What's worse is that there was basically no reason for this leak to be
possible. I mean, it was apparently a list of all people who'd successfully
received a press pass for E3 2019. The leak was in the form of an Excel
spreadsheet with that info hosted on their server.

So why was it even there? It's not the database they're using on the site;
from what I've read that's a standard WordPress install. And the spreadsheet
was unlikely to be needed outside the organisation itself.

Hence the ideal thing to do would have to be to somehow tie the WordPress DB
into whatever system they were using. If that'd been done, the leak could
never have happened in this way.

Alas they didn't, and by going with the old 'intern takes database details,
puts them in a spreadsheet and shares around a link' method, exposed thousands
of people's details online. It's basically a perfect case study for the
dangers of ad hoc spreadsheet solutions and sharing 'private' links around to
distribute customer info.

Either way, I wouldn't be surprised if someone did sue them under GDPR or what
not at this point.

~~~
Thorrez
>So why was it even there?

>The list exists so that publishers and developers can invite analysts and
media to events and private viewings that take place during the E3 show.

>We provide ESA members and exhibitors a media list on a password-protected
exhibitor site so they can invite you to E3 press events, connect with you for
interviews, and let you know what they are showcasing.

~~~
CM30
Well they say it was password protected, but the file could apparently be
downloaded without logging in at all:

[https://twitter.com/RLewisReports/status/1157825611252957184](https://twitter.com/RLewisReports/status/1157825611252957184)

And even if it was, it feels like this system was implemented in the worst way
possible. Could have been a CMS function that generated the list once
credentials were provided or what not.

------
8bitsrule
The best solution for these 'accidents' is mandatory jail-time for the CTO.

------
noodlesUK
Does this entity have dealings in Europe? If so it might be possible for GDPR
to apply, and I can see this getting ugly if it does (as I believe it should,
they should get massive fines for this).

~~~
johnchristopher
GDPR would apply if the entity had personal information of European citizens.

~~~
dahart
> GDPR would apply if the entity had personal information of European
> citizens.

Not quite, merely having data on an EU citizen is not sufficient to invoke
GDPR.

To clarify, article 3 of GDPR specifies that it applies to companies that
market specifically to EU citizens or specifically monitor EU behavior of
their customers. [https://gdpr-info.eu/art-3-gdpr/](https://gdpr-
info.eu/art-3-gdpr/)

This is taken by many to broadly mean that when an EU citizen purchases
something by (for example) a US company where the product is marketed only to
US citizens, GDPR does not apply.

For example: [https://www.gdpreu.org/the-regulation/who-must-
comply/](https://www.gdpreu.org/the-regulation/who-must-comply/)

“May be insufficient evidence [if] The firm’s website is accessible to EU
residents”

~~~
jolmg
> GDPR specifies that it applies to companies that market specifically to EU
> citizens or specifically monitor EU behavior of their customers

Does that mean that if you market to the world (i.e. anyone who might hit the
site, making no mention of world nationalities) but not _specifically_ to the
EU (i.e. You make no mention of anything specific to the EU in any part of a
site and you don't differentiate them in any way from non-EU users) then the
GDPR doesn't apply?

~~~
acollins1331
Market doesn't mean advertise, it means to bring products to market, so yes,
bringing products to market for the world is also bringing them to market for
the EU.

~~~
dahart
> Market doesn't mean advertise

Broadly speaking, the verb "to market" does mean "to advertise or promote"
(try Googling "define market", and see the verb definition).

> so yes, bringing products to market for the world is also bringing them to
> market for the EU.

While that's true in a sort of technical sense, the GDPR text explicitly
contradicts the notion that failing to restrict EU citizens from buying
something amounts to requiring GDPR compliance.

