So…Is There an RSA Attendee List?

by Nathan W. Burke on February 6, 2016

rsa logoIf you’re at a security company and are exhibiting at RSA, chances are you’re getting dozens of emails from list vendors asking if you’d like to buy the 2016 RSA attendee list. In this post, we’ll look at how and why this RSA attendee list spam exists, and we’ll explore whether such a list exists in the first place.

Part One: The Motivation is Clear

With vendors paying between $35,000 and $350,000 for booth space on the expo floor, it’s easy to see the perceived value of the RSA Conference’s attendees. In fact, the RSA exhibitor prospectus claims the following about the show’s 30,000+ attendees:

Screenshot 2016-02-06 15.57.55 Screenshot 2016-02-06 15.57.49

Put simply, you can’t get 30,000 security executives in a room for a few days at any cost. If you’re a company selling information security solutions, you have to be there.

What’s the goal of the show? Aside from the requisite awareness, the goal is always to talk to people that will want to buy your product. Short of actually making the sale at the booth, the idea is to qualify, educate, and then get prospects to take a demo after the show. You scan a prospect’s badge, get their email address, and get in touch with follow-up information to hopefully turn interest into a sale.

So if you’re trying to calculate whether it’s worth spending a minimum of $35K at a show, you’d want to look at the qualified leads you generated at the booth. The data list vendors have a pretty compelling message: not everyone in attendance is going to stop by your booth to get scanned. Why not buy the entire attendee list with contact info from us, and you can then:

  1. Email the entire list, promoting your booth before the show.
  2. Send a message to everyone, thanking them for stopping by your booth.
  3. Focus only on quality when talking to people in-person, since you can email everyone else post show.

From the list vendor’s perspective, you’ve already shown the value of attendee contact info by paying to exhibit at the show. Why not spend a little extra and get the full attendee list?

Part Two: How List Vendors Get Exhibitor Info

This part is easy. You can very easily see the full list of companies exhibiting at RSA here on the conference website. What’s even easier is the fact that each exhibitor gives an email address that is published on their profile page. For example:

Screenshot 2016-02-06 16.13.02

For those with time, simply firing up an excel spreadsheet would allow a list vendor to copy and paste the company name, email address, and phone number to build their list. You could do something more automated if you wanted, and many list vendors will add a few commonly used email addresses like sales@, marketing@, and contact@ to each domain they find.

Once they’ve created their target list, it’s time to craft an email. An example:

Hi Team,

Happy New Year!!!

I was going through RSA Conference 2016 Exhibitors Guide and came across that your Organization will be attending RSA Conference 2016 Annual Conference and Exhibition this FEB 29-MAR 4, 2016.

I’m sure you will be interested getting in touch with these RSA Conference 2016 attendees prior to the conference meet or send an invitation to these attendees for a visit to your booth.

We have over 15,000 attendees list with complete contact information attending RSA Conference 2016.

If you are interested do let me know, so that I can send the details of the counts and commercials related to the same.

Please forward this email, if you think I should be talking to someone else on this.

Susan Miller

Sr. Marketing Consultant

This year there have been so many of these that RSA felt compelled to send the following:

RSA Conference 2016 Exhibitors,

Many of you report being spammed by individuals or companies offering to share the RSA Conference 2016 attendee contact list. These people reach out to exhibitors, attendees, random people and press with offers like “I have the RSA Conference attendee list – you want to buy it”? I’m sure you’re personally spammed by these types of companies for all large events whether RSA Conference, SXSW, CES, Oracle World, Dreamforce, etc. In each instance the vendor claims that their email contacts are those from the attendee list for a given event.

RSA Conference takes the privacy of its attendees very seriously and it does not share any attendee list with anyone, including sponsors and exhibitors at any level. Additionally, no RSA Conference supplier has access to the RSAC attendee contact list. Any official RSAC supplier reaching out to you does so on behalf of the RSAC Event Management team for the purpose of confirming an existing order, or as a customer service courtesy as an order deadline approaches.

Part Three: How The Data Vendors Get Attendee Lists

There are generally three ways data vendors get the attendee lists for an event.

  1. They Buy the List from the Conference Organizer – In this case, it would be very difficult to believe that RSA would sell their attendee lists, but there are other conferences that have no problem sharing their attendee info. Although RSA has caused controversy with its choice of keynote speakers from a TV show and capturing attendee twitter credentials, selling access to attendee info would likely be the end of the show.
  2. They Steal the List from the Conference Organizer – Some conference organizers have lax security measures with open directories and spreadsheets publicly available from a google search. Here’s a good example of the GSA Training Conference and Expo 2011 final attendee list I got from a simple google search:  security conference attendee list filetype:xls

    Another way to steal the list would be from the badge scan company. If you were able to break into their systems and download all booth scan data, you would then have the full attendee list of anyone scanning at any booth. 

    In this case, they’re simply finding an old list, changing the date, and selling it as new. Depending on the level of sophistication, they might even do some social lookups to find people who are tweeting about going to the show, and they may even remove companies that have gone out of business.

  3. They Buy the List from Exhibitors – This is the most prevalent method of acquiring an attendee list. A list vendor will pay part of the cost of an exhibiting company’s booth fee in order to get the full list of badge scans. When this happens, you’ll see a vendor that has an expensive prize that will be raffled off at the end of the show to a lucky winner, giving everyone at the show motivation to scan their badge regardless of interest in the vendor.

    You’ll even see people dressed in crazy costumes running around with badge scanners and iPads soliciting entries for the prize drawing. As their goal is to get every name they can, they don’t generally stay at the booth. They’ll risk getting tossed from the show, as the conference organizer never knows who these scammers are affiliated with.

    Using this method, the data list vendor is simply selling last year’s attendee list with this year’s date on it. They figure a large percentage of attendees will go year after year, and they’re likely right.

Part Four: Let’s Test Our Theory

m_img_71190So far, I’ve offered nothing but wild conjecture at best. However, it would be easy enough to test the theory with a little bit of patience.

Test 1: Attendee registered with email alias, no booth scans – First we need someone that has registered with RSA with an email address they haven’t used before. Best to use an alias. Then, that person can’t scan their badge at all during the conference, thereby testing whether vendors were able to somehow get access to the actual registration list. It will take a long while to see if that email address starts getting vendor emails (maybe).

Test 2: Attendee registered with email alias, scan at just one booth – Certainly not perfect science, but this test would let us see whether there’s a possibility that a vendor broke into the scanner provider’s database and downloaded all booth scan lists. Again, this would only work with an email address that isn’t used other than for this purpose, isn’t something easily guessed, etc.

Test 3: Attendee registered with email alias, scans at multiple booths, not used again – In this test, the address would be used at multiple booths, but wouldn’t be used in the future to register for a conference. That way we’d know that vendors are just selling old lists each year.


Where there’s money to be made and anonymity to be had, vendors will offer conference attendee lists and marketers will buy them.  I can obviously understand spending short money to spray and pray with the opportunity to get a handful of people to the booth, but it just feels wrong and lazy.



Previous post:

Next post: