The E3 Security Breach Couldn’t Come At A Worse Time

The premises where E3 2019 was held
E3's Online Security Breach Couldn't Happen At A Worse Time E3 2018. Source: E3/ESA.

For the majority of people, registering for E3 is relatively simple, regardless of whether they’re attending as a consumer or member of the press. For journalists, this typically entails providing the Entertainment Software Association (ESA) – the organizers of the annual event – with certain information.

This is usually limited to a physical address, email address, full name, and phone number. Once this has been submitted, press credentials are given out, and the information is provided to companies that are exhibiting at the show so that they can contact writers or editors for a potential appointment.

All of this is relatively straightforward and isn’t unique to ESA or E3, with the majority of other events – both inside and outside the games industry – having a similar process. Another defining similarity with each of these events is that the only people who have access to this information are the people that a journalist may end up doing business with.

At least, that’s how it’s supposed to work in theory. Recent events focused on the Electronic Entertainment Expo, however, have shown that this might not have been the case for many journalists who have attended the events in recent years.

In contrast, a video by YouTuber Sophia Narwitz highlights that third parties may have been able to access all of this information without either the ESA or press members realizing it. As the video shows, visitors to the E3 website could access a spreadsheet of information for over 2,000 media analysts, journalists, and content creators with a few quick clicks.

According to Ms. Narwitz, she contacted the ESA within 30 minutes of discovering that this information, which should have been confidential, was public for anybody to see. After her phone call didn’t lead to any change, she emailed the company before reaching out to a variety of journalists to notify them about the spreadsheet.

Despite not responding to Ms. Narwitz, E3 quickly took down the webpage where the information could be accessed from. However, reports of the spreadsheet’s existence quickly spread, with the ESA being forced to release a statement focusing on the topic to attempt to quell the potential uproar.

However, Sophia Narwitz’s YouTube video was only the tip of the iceberg, as the spreadsheet quickly gained traction across several corners of the web. As a result, there have been several members of the media who have been doxxed, as well as received a variety of death-threats and a large number of harassment as a result of the E3 leak.

What Was Reaction Of E3 To The Security Breach?

A presentation at E3 2019
A presentation at E3 2019. Source: E3

While neither E3 or the ESA responded to any of Ms. Narwitz’s calls or emails, the Entertainment Software Association did release a statement after news broke about the potential leak. While it acknowledged the existence of the spreadsheet and noted that it had taken down the offending webpages, the announcement left a large number of journalists and content creators in the lurch.

Despite this, the company would go on to make another statement, noting that it was working to identify any other security issues with the website. Alongside this, it indicates that it’s working to develop a new site with enhanced security, while it had also taken down the media list from all platforms under its control. As the ESA statement notes:

The Entertainment Software Association (ESA) was made aware yesterday of a website vulnerability on the exhibitor portal section of the E3 website. Unfortunately, a vulnerability was exploited and that list became public. We regret this happened and are sorry.

A crowd gathers at E3 2019
A crowd gathers at E3 2019. Source: E3/ESA.

The company also went on to note:

When we found out, we took down the E3 exhibitor portal and ensured the media list was no longer available on the E3 website. Again, we apologize for the inconvenience and have already taken steps to ensure this will not happen again.

In the days following this, the ESA would enter crisis management mode, and began emailing many of the games journalists and content creators who may have been affected by the E3 leak. The majority of these were those who attended the event between 2004 and 2006, although reports suggest that there were a large number of people who registered in the years following this that where affected.

While general attendee information wasn’t affected during the leak, this hasn’t meant that people weren’t paying attention to how the Entertainment Software Association was responding. In an email to those who were affected by the E3 security breach, the company said:

We are working with our partners, outside counsel, and independent experts to investigate what led to this situation and to enhance our security efforts. We are still investigating the matter to gain a full understanding of the facts and circumstances that led to the issue.

Much of this has been seen as a too-little-too-late approach, with many people inside and outside of the video games media noting that the breach of E3’s website shouldn’t have occurred in the first place.

Regardless of this, the security breach couldn’t come at a worse time for E3 and the ESA, with attendance at the annual event slowly declining. Alongside this has been the fact that an increasing number of brands have opted to forego participation at E3, instead choosing to host their own events, which allows them significantly more control over their schedule.

Whether E3 will be able to weather the storm in the coming months is up for debate, with only time showing if it can claw its way back to where it once was.