Skip links

RSAC branded a ‘super spreader event’ as attendees share COVID-19 test results

RSA Conference Quick show of hands: who came home from this year’s RSA Conference without COVID-19?

The cybersecurity event’s organizers say they’re not keeping count of attendees who say they’ve been hit with the coronavirus. Meanwhile, a growing number of folks have taken to Twitter to post photos and reports of positive test results after attending the conference. 

As someone who attended the show, wore a KN95 inside San Francisco’s Moscone Center where the show took place, and returned home healthy, your humble vulture can attest to the vast numbers of mask-less faces of cyber-risk managers, who may have misjudged the risk of attending a 26,000-person event while case numbers start to climb again in California.

COVID-19 vaccinations reduce the risk of hospitalization and death, and may prevent long-term effects of the virus. CDC guidance is to wear masks in crowded areas.

RSA Conference organizers required all attendees to show proof of vaccination or a negative test for their first entry into Moscone Center. Additionally, signs posted “encouraged” people to wear masks. Still, people wearing face masks inside Moscone were in the minority. And masks at cocktail parties and bars around the event were almost non-existent. 

According to one very informal Twitter poll with 820 votes at the time of writing, 20.6 percent of attendees said they caught the coronavirus at RSAC, while 39.5 percent said they escaped COVID-free. However, 39.9 percent said they were unsure, for whatever that means.

For what it’s worth, the organizers of May’s KubeCon Europe, which required proof of vaccination and masks, said they were aware of 121 reported infections, or about two percent of the in-person audience. We wish we could report an accurate reported count for RSA Conference: it is unlikely to be as high as one in five, though we may never know.

LastPass CTO Christofer Hoff tweeted he personally knows more than 30 people who got COVID-19 at RSAC.

“The RSA Conference should really be made aware to understand they were a super spreader event,” Hoff added.

Following The Register‘s inquiry about COVID-19 cases related to the event, and questions about what organizers were doing post-RSAC to follow up on attendees’ virus status, officials pointed to a health and safety hub update, which, among other things, urged attendees so “make responsible health choices.”

“RSA Conference 2022 has been made aware that some attendees have tested positive for COVID-19,” reads a note dated June 15. “We are, however, not collecting test results post-conference.”

The number of RSAC attendees that have since tested positive, even if it is anecdotal evidence, has some in infosec rethinking their plans for Black Hat and DEF CON in Las Vegas in August, aka hacker summer camp.

“All of these stories of people catching COVID at conferences, especially RSA, make me considerably less interested in coming to Las Vegas for DEF CON,” EFF Cybersecurity Director Eva Galperin said

After requiring both proof of vaccination and masks at last year’s event DEF CON, “barring a major change in the situation,” the event won’t check attendees’ vaccination status this year but will keep the mask mandate in place, organizers said.

“Protecting the community is our first priority, and we want to make sure that everyone is as safe as we can make them,” according to DEF CON’s FAQ page. “Everyone includes the healthy, the vulnerable and those who have immune compromised loved ones they need to protect.”

Meanwhile, Black Hat, which takes place in the days leading to DEF CON, isn’t requiring any COVID-19 prevention measures. 

“At this time, there are no requirements for vaccinations, masks, or other health measures in place,” according to that event’s health and safety rules. “Attendees are advised to consider their personal health needs.”

Consider yourself forewarned. ®