Well, this is a colossal screw up on the ESA’s side, isn’t it? Yep, as the title suggests, an error in their E3 site has revealed the personal details of thousands of gaming journalists and content creators, and made them publically accessible to anyone willing to spend 5 minutes to Google them.
This happened because the details of anyone who received a press pass for 2019 were stored in an Excel spreadsheet, which in turn was made available to download from the E3 site. Here’s a SidAlpha video giving some more details on the matter:
As well as the video which originally brought it to everyone’s attention courtesy of YouTuber Sophia Narwitz:
It’s a pretty big blunder all round, and one that shows the ESA doesn’t have good security practices in mind.
Additionally, it’s also a legal nightmare too. Indeed, given the GDPR exists to prevent exactly this kind of thing, and many of the people affected are in Europe, it’s looking almost certain the ESA will get sued over the leak too.
Still, it can still teach us a few important lessons none the less. For instance, security by obscurity does not work.
Seriously, it doesn’t. If your idea of ‘security’ is hiding file names or sticking sensitive files in an obscure but publicly accessible directory on your server, you’ve screwed up. Doubly so if said files include credit card details, personal information, or business secrets you don’t want competitors finding out about.
So that’s lesson 1 here. If you’ve got private info you need to share on your server, always stick it behind a password wall or relevant access controls. Htpassword, the site’s login system, doesn’t matter. Just make sure an unauthenticated user cannot access/download the file without proving they are who they say they are.
Lesson 2 is that ad hoc IT processes are a recipe for disaster.
Because at the end of the day, this Excel spreadsheet shouldn’t have existed. Seriously, it shouldn’t. Instead, their press registration system should have directly tied into any other systems that needed it through an API or something, in the same way your shopping cart connects to PayPal or SagePay.
Yet the ESA didn’t do this. Instead, it appears their process was to take the WordPress database, dump the information into an Excel file and then somehow upload that to the other systems they were using. Presumably this file then went online because someone at the organisation decided it was easier to share with a link on the E3 website rather than through some sort of private messaging channel or email.
Hence why the Excel existed and everyone could get access to it. Because no one involved with the process knew the security implications or realised the risks it brought.
And this isn’t a rare issue in the business world. No, for better or worse, many businesses run with similar processes. They don’t implement their tech correctly, so they end up leaving it to office staff to throw together some manual process that would send the local data commissioner into a fit of rage.
Such as say, lists of passwords stored in Google Docs. Or customer credit card details included in Excel sheets on employee computers. Or perhaps some unfortunate intern having to manually create database backups by logging into CPanel or WHM.
Either way, these systems are insecure and leave the business open to issues just like this. A computer gets lost, a trustworthy employee turns out to have dodgy motivations or someone figures out their file names and hey presto, suddenly thousands or millions of people get doxed by the company.
So don’t leave it up to interns or office managers to create ad hoc processes through Excel. Actually build a fully automated system that can handle things like user details and backups, and test the hell out of it to make sure it’s not exposing any more info to the world than it needs to be.
Finally, remember to listen to security reports and feedback too.
Because this spreadsheet wasn’t just left offline for an hour or two.
It was left on the site for months. In fact, it was actually brought to the ESA’s attention beforehand:
Yes. It appears that when the ESA pulled the webpage they left the hosted files. It’s also come to my attention they were allegedly alerted to this file over a month ago and took no action. https://t.co/ziLYUNgx3n
— Sophia Narwitz (@SophNar0747) 3 August 2019
Yet they never bothered to do anything about it. They just sat by and watched people download the file to their heart’s content, happy to ignore the GDPR crisis that was unfounding in front of them.
It’s appalling really.
But it’s not too uncommon online. Tons of organisations ignore security warnings, and quite a few actively attack anyone who reports them, claiming the latter are trying to ‘attack’ their organisation and that they’ll sic lawyers on them or what not.
Hence we get crap like this. Obvious security or privacy issues going unreported for months while dodgy actors exploit them to their heart’s content. It’s disgusting, and it has to stop.
So that’s lesson 3 right there. Listen to security warnings, and fix anything that could lead to customer info being posted online. Otherwise you only have yourself to blame when the lawsuits start and the fines begin piling up.
Either way, we advise anyone who got an E3 2019 press pass to be careful (especially given the trolls and nutcases who may now have their full name and address to mess around with), and to consider legal action against the ESA for the breach and the GDPR violations its brought.
And we advise the ESA to invest in much better systems for tracking these press passes too. Get a decent web developer or team in, integrate the site into any other systems you’re using, and do away with the Excel files here.
Otherwise it’s almost inevitable mistakes like this will happen again, and again it’ll be the journalists and content creators who’ll pay the price for your incompetence.
Thanks for reading!
- The ESA Leaks (Twitter Moment by Sophia Narwitz)
- The Entertainment Software Association just doxxed over 2000 journalists and content creators (Sophia Narwitz on YouTube)
- E3 accidentally leaks personal details of journalists, YouTubers and analysts (Games Industry.biz)
- ESA Doxx over 2 thousand journalists personal information from E3 2019 (SidAlpha on YouTube)