The Entertainment Software Association (ESA) is in hot water for mishandling sensitive personal information, leading to the doxxing of more than 2,000 journalists and content creators who were in attendance at E3 2019. On Friday, YouTube creator Sophia Narwitz broke the story via her channel.
According to Narwitz, a spreadsheet containing names, phone numbers, email addresses and personal addresses was publicly accessible on the E3 website until Friday, when it was taken down after she attempted to reach the ESA via email and phone. Narwitz did not receive a response, though she tweeted that she did reach out to journalists at larger outlets knowing they would be more likely to get a statement from the company.
Despite the removal of the document from the website, it is apparently still being shared online. It’s unclear who downloaded the spreadsheet before it was removed, or how many people have access to it at this point.
“This document was unsecured and even when they removed the webpage, they left the file on their servers,” Narwitz tweeted. “Why it was attached to a public link in the first place is beyond me. But multiple months post E3 and it was still there, no doubt others have found it. So I warned folks.”
The Entertainment Software Association doxxed over 2000 journalists & content creators. Due to a mishandling of information that has since been removed after I alerted them, full addresses, names, & phone numbers are potentially floating somewhere online: https://t.co/15RXIbGWrr
— Sophia Narwitz (@SophNar0747) August 2, 2019
According to Jeff Grub at VentureBeat, who picked up the story late Friday, someone with access to the list (with the ESA’s permission) confirmed that the spreadsheet contains information for games journalists, “YouTube creators, Wall Street financial analysts at firms like Wedbush and Goldman Sachs, and Tencent employees.”
As Grub notes, this leak not only puts thousands of people at potential risk for harm, but invites a host of legal issues for the ESA and E3.
The ESA released the following statement to VentureBeat: “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this this occurrence and have put measures in place to ensure it will not occur again.”