NuTSR Financial Data Breach

The ongoing saga of “TSR3” continues as Justin LaNasa, owner of “TSR LLC”, allegedly stores and has emailed to others a spreadsheet containing customer financial information stored without any form of encoding or encryption.

In a video released by Don Semora of Wizard Tower Games, Semora claims Justin LaNasa emailed him a spreadsheet in May 2022 that included financial information from customers and business partners including full names, email addresses, home addresses, phone numbers, and even credit card numbers, all stored in plain text with no encoding or encryption. This includes customers of TSR or Dungeon Hobby Shop’s webstores purchasing products including Cult of Abaddon, Dungeon Crawl: The Board Game, TSR Dice, and others.

​

Screenshots of the spreadsheet (with private information redacted) show up in the video starting at the nine minute mark.

Wizard Tower Games also commented in the EN World thread “The Full & Glorious History of NuTSR” offering to confirm if anyone’s personal information was part of the spreadsheet he received. According to David Flor, transactions with the companies are processed under the name “Port City Kava”, an oxygen bar and vape/ecig store run by Justin LaNasa in North Carolina.

For those unfamiliar with the Saga of the TSR Trademark, EN World has a timeline of events with links to more information going back to the start in June of 2021 and, at the time of writing, updated through July 22, 2022.

The video from Semora is the most recent entry in a back-and-forth between himself and LaNasa following a Twitter post from Wizard Tower Games on August 29 confirming the company received two subpoenas related to the lawsuit with Wizards of the Coast. Michael K. Hovermale, former employee of TSR LLC, confirmed he also received a subpoena related to the lawsuit and confirmed in a post on EN World that he retained all information from his time working for LaNasa and informed LaNasa of this in June of 2022. In a video titled “OPEN LETTER LANASA” posted on September 1, Don Semora says he received a text message from LaNasa accusing Semora and Hovermale of “photoshopping documents”. The video consists of Semora posting screenshots of documents he claims were sent to him from LaNasa. In response, LaNasa claimed the documents in the video were Photoshopped by posting his own screenshots and calling Semora a "liar" on social media including in the title of a channel on the TSR Discord server, according to a screenshot from the private server posted by Kim Wincen. Semora responded with the video posted earlier today containing the spreadsheet along with other screenshots.

The trial between TSR LLC, the Dungeon Hobby Shop Museum LLC, and Justin LaNasa v. Wizards of the Coast is scheduled for a jury trial in October 2023.

 

[TheSword]

Actually, a "personal data breach" under the GDPR means a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

But regardless, the GDPR only applies in the EU, not the US. (Unless the US also has one that I've never heard of?)

A breach of security doesn’t just mean a breach of IT system security though. If someone sends an email to a group and inadvertently shares the email address of people that haven’t given them permission, that is a data protection breach.

It also does apply outside the EU where it affects EU citizens, irrespective of where the person controlling the data is based. It’s the reason so many sites had to update their terms when it was released.

 

[AncientPenguin]

If the same payment processor is spread across those other businesses, it's wholly within the realm of possibility that they'll drop him like a hot rock.

Additionally, a lot of other processors may not onboard him because of the lack of PCI compliance. That can lead to going with far riskier entities to process CC data with higher percentages and other concerns - all of which lead to that whole 'death of a thousand cuts'

I also want to mention the following -

If any customers that are impacted are in places like the EU or in California where there's GDPR and CCPA, respectively, that's some important stuff. These two regulatory frameworks are going to add another level of complexity to the mountain of trouble that's coming Justin's way.

 

[AncientPenguin]

A breach of security doesn’t just mean a breach of IT system security though. If someone sends an email to a group and inadvertently shares the email address of people that haven’t given them permission, that is a data protection breach.

It also does apply outside the EU where it affects EU citizens, irrespective of where the person controlling the data is based. It’s the reason so many sites had to update their terms when it was released.

100% this.

 

[Ancalagon]

Tomorrow is going to be interesting...I almost feel sorry for Justin's lawyers.

Almost.

so it is now "today", what was supposed to happen?

 

[CleverNickName]

One screenshot from a text conversation with LaNasa indicates that his goal was to squat the trademark and get Wizards of the Coast to pay him $100 million for it (not kidding, he said he expected that much). It's led to speculation that pretty much everything else he's been doing in terms of social media and public relations has been for the sole purpose of dragging the TSR name through the mud to force WotC to pay him to go away.

As soon as the countersuit was filed, that should have been an indication that's not going to happen because they are going to take him to the cleaners. And since he's named personally in the countersuit, he doesn't have the legal shield of the LLCs to protect him.

He seriously expected a hundred million dollars for the trademark? And his acting-out on social media was all an attempt to embarrass Wizards of the Coast so badly that they would pay him to go away?

My grandma would tell me not to judge anyone until I've walked a mile in their shoes, but I don't think she had these shoes in mind.

 

[Faolyn]

He seriously expected a hundred million dollars for the trademark? And his acting-out on social media was all an attempt to embarrass Wizards of the Coast so badly that they would pay him to go away?

Wasn't there a guy who bought StarWars.com or MayTheForceBeWIthYou.com and thought he could sell it to Lucas for a zillion dollars, but just got sued by them?

 

[Sacrosanct]

Wasn't there a guy who bought StarWars.com or MayTheForceBeWIthYou.com and thought he could sell it to Lucas for a zillion dollars, but just got sued by them?

I'm reminded of those idiots who paid 3 million for the NFT Dune, and thought it meant they had the rights to create all the Dune property they wanted.

 

[J.Quondam]

Looks like someone is having a bad case of the Mondays Tuesdays.

 

[Lidgar]

 

[Abstruse]

He seriously expected a hundred million dollars for the trademark? And his acting-out on social media was all an attempt to embarrass Wizards of the Coast so badly that they would pay him to go away?

My grandma would tell me not to judge anyone until I've walked a mile in their shoes, but I don't think she had these shoes in mind.
View attachment 260552

I can't speak to how serious the $100 million amount was, but it was something he said in reference to selling the trademark to WotC. The context was bragging about how he was going to get a big payout for this. And I want to stress that him posting inane racist/sexist/homophobic/transphobic/ableist nonsense on the social media accounts to ruin the TSR brand is pure speculation. There's no evidence I'm aware of at this time to point to any particular motivation. And to me at least, it doesn't matter much why he's doing it other than academic curiosity. It doesn't matter the reasons as the harm being done is real either way. "Ironic racism" is still racism.