If you attended the Electronic Entertainment Expo (E3) trade show this year with a media badge, it’s possible that some of your sensitive data is now public. Each year, the Entertainment Software Association hands out hundreds of “press badges” to certain members of the press. To get one of these badges, I have given the organization my name, phone number, home address, and more each year for the last half-decade. That info goes onto a spreadsheet that the ESA hands out to its member companies. This makes it easier for those companies to invite press to E3 events and meetings.

Up until yesterday, however, that list was accessible to anyone who clicked on a button on the ESA website, as first spotted by YouTube creator Sophia Narwitz. Since then, The ESA has removed the spreadsheet from its site. But it did not do that before other people were able to download it. At this point, it’s impossible to tell who has the list.

This failure to adequately secure sensitive data doesn’t just expose games journalists. I’ve confirmed with someone who has access to the list (with the ESA’s permission) that it contains info for YouTube creators, Wall Street financial analysts at firms like Wedbush and Goldman Sachs, and Tencent employees.

The ESA’s reaction to the E3 data leak

This puts the ESA in a tough spot. I reached out to the organization, and it provided the following statement from a spokesperson:

“ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public. Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this this occurrence and have put measures in place to ensure it will not occur again.”

While this breach could expose people to certain threats, it could also hurt the ESA’s bottom line. Companies pay the organization a lot of money to show up to E3. And part of the reason the trade show is worth that price is because the group has a spreadsheet with the contact info for popular YouTubers and influential media personalities. If people are more hesitant to share that data at E3 2020, suddenly the show is potentially less valuable to attending developers and other companies.

The ESA website was likely also accessible from Europe, and it contained info for European members of the press. That could turn this into a GDPR (General Data Protection Regulation) issue. That is the EU regulatory framework that obliges any company that collects data to meet certain assurances of security.

The maximum fine for a GDPR violation is 20 million euros.