The personal details of 91 UK journalists and digital media representatives are among over 2,000 records leaked this week by the US Entertainment Software Association.
The Entertainment Software Association is a lobbyist group that acts on behalf of major publishers in the global video games industry, with members including giants such as Electronic Arts, Disney Interactive Studios, Tencent, and Nintendo. The group also runs the annual Electronic Entertainment Expo (E3), the most influential video game industry trade show of the year.
This weekend the ESA was the subject of a massive data breach when it leaked the details of over 2,000 journalists and media representatives who attended E3 last year, including 91 registered media attendees from the UK. Details leaked include names, email addresses, phone numbers, and home/office addresses, making this a serious breach of personal information.
The data breach was first publicised by journalist Sophia Narwitz on YouTube after she was made aware that a spreadsheet full of personal information was available for download on the ESA's E3 website. Though she contacted the ESA and confirmed with them that the file had been removed before publicising the breach, the ESA was negligent in its removal of the file and it was actually still available for download via a google cache of the page.
As a result, the information leaked online and has been downloaded by thousands of people. Some of the games journalists on the list have already been hit with personal abuse and serious threats to their phone numbers and home addresses. The ESA gave a statement claiming that "a vulnerability was exploited and that list became public," but the spreadsheet appears to have actually just been uploaded to its website by staff and deliberately linked on a public-facing "Helpful Links" page.
A class-action lawsuit is reportedly being put together in the US by those affected, but the hundreds of people named in the document from the EU also makes this a serious and easily preventable data breach under GDPR. As the ESA is based in the US, it may not be possible for any EU body to compel the group to co-operate with a GDPR investigation or get it to pay a fine. Nevertheless, it's feared that this incident will kill E3 as the main games industry event of the year.
Source: Kotaku, Forbes, GamesIndustry.biz, Header image (c) Entertainment Software Association