NuTSR Financial Data Breach

The ongoing saga of “TSR3” continues as Justin LaNasa, owner of “TSR LLC”, allegedly stores and has emailed to others a spreadsheet containing customer financial information stored without any form of encoding or encryption.

In a video released by Don Semora of Wizard Tower Games, Semora claims Justin LaNasa emailed him a spreadsheet in May 2022 that included financial information from customers and business partners including full names, email addresses, home addresses, phone numbers, and even credit card numbers, all stored in plain text with no encoding or encryption. This includes customers of TSR or Dungeon Hobby Shop’s webstores purchasing products including Cult of Abaddon, Dungeon Crawl: The Board Game, TSR Dice, and others.

​

Screenshots of the spreadsheet (with private information redacted) show up in the video starting at the nine minute mark.

Wizard Tower Games also commented in the EN World thread “The Full & Glorious History of NuTSR” offering to confirm if anyone’s personal information was part of the spreadsheet he received. According to David Flor, transactions with the companies are processed under the name “Port City Kava”, an oxygen bar and vape/ecig store run by Justin LaNasa in North Carolina.

For those unfamiliar with the Saga of the TSR Trademark, EN World has a timeline of events with links to more information going back to the start in June of 2021 and, at the time of writing, updated through July 22, 2022.

The video from Semora is the most recent entry in a back-and-forth between himself and LaNasa following a Twitter post from Wizard Tower Games on August 29 confirming the company received two subpoenas related to the lawsuit with Wizards of the Coast. Michael K. Hovermale, former employee of TSR LLC, confirmed he also received a subpoena related to the lawsuit and confirmed in a post on EN World that he retained all information from his time working for LaNasa and informed LaNasa of this in June of 2022. In a video titled “OPEN LETTER LANASA” posted on September 1, Don Semora says he received a text message from LaNasa accusing Semora and Hovermale of “photoshopping documents”. The video consists of Semora posting screenshots of documents he claims were sent to him from LaNasa. In response, LaNasa claimed the documents in the video were Photoshopped by posting his own screenshots and calling Semora a "liar" on social media including in the title of a channel on the TSR Discord server, according to a screenshot from the private server posted by Kim Wincen. Semora responded with the video posted earlier today containing the spreadsheet along with other screenshots.

The trial between TSR LLC, the Dungeon Hobby Shop Museum LLC, and Justin LaNasa v. Wizards of the Coast is scheduled for a jury trial in October 2023.

 

[Abstruse]

How would they even have gotten the actual credit card numbers stored?

I would think they used some off-the-shelf e-commerce platform and those - by default - would not actually store whole credit card numbers. At least - that would be such an egregious practice, that any consultant they hired would probably have to go out of their way (ie. explicitly program) and storage of numbers. Something like Shopify would not store credit card numbers by default.

Assuming they did that - someone would have to actually query a database to export the data into a spreadsheet. Again, some consultant could have scripted a simple script or interface for Lanasa to do it himself.


After all that - Lanasa would have to have the modicum of intelligence to operate a computer at some level.

I would just hazard a guess here and say the storage was done purposefully and explicitly because that's just how Lanasa rolls. It would be no surprise at all if he intended to profit off the information some how.

I have no idea, but one possible explanation: The "webstore" isn't a normal webstore but just a submission form. They'd then run the credit cards manually through their point of sale system. It would be a cheaper way to do things since it would require not giving extra money to a third party processor or leasing a turnkey webstore solution. It's also insecure to the point of being possibly criminal. Again, I'm not saying this is what happened or that there's any evidence that this is what happened, just one possible explanation.

 

[Michael Linke]

How would they even have gotten the actual credit card numbers stored?

I would think they used some off-the-shelf e-commerce platform and those - by default - would not actually store whole credit card numbers. At least - that would be such an egregious practice, that any consultant they hired would probably have to go out of their way (ie. explicitly program) and storage of numbers. Something like Shopify would not store credit card numbers by default.

Assuming they did that - someone would have to actually query a database to export the data into a spreadsheet. Again, some consultant could have scripted a simple script or interface for Lanasa to do it himself.


After all that - Lanasa would have to have the modicum of intelligence to operate a computer at some level.

I would just hazard a guess here and say the storage was done purposefully and explicitly because that's just how Lanasa rolls. It would be no surprise at all if he intended to profit off the information some how.

I’ve seen off the shelf (open source) e-commerce platforms store credit card numbers, albeit in an encrypted state. We implemented changes to one so that we could use it without storing those numbers for PCI reasons.

It’s possible his software stores these numbers as encrypted values, and he exported them as unencrypted plain text for some reason. It’s also possible he harvested these numbers in person from people who payed by card at one of his businesses.

It wasn’t always the case that PCI didn’t permit for business to store credit card numbers. Older versions of the PCI-DSS standard allowed encrypted storage. He may just be using an ecommerce platform that was compliant at the time it was implemented.

Elsewhere, I commented out of a vivid memory of IMPLEMENTING PCI compliance at an already established business, but digging more, I think the issue there is that we were already compliant, but were implementing changes to adapt to a newer version of the standard, particularly the change from stored-encrypted to not-stored-at-all.

In digging through older PCI documentation, I even found stuff suggesting that smaller business, at least at one point, had less strict requirements. It’s possible LaNasa has these CC details while to the best of his understanding being minimally compliant with whatever version of PCI-DSS was relevant to him at the time he set up his electronic payments platform. It’s also just as possible the rules got more strict since then, and his business was small enough that he flew under the radar regarding compliance audits and external data breaches.

In any case, SHARING those details was still unambiguously wrong.

 

[LordEntrails]

I would think they used some off-the-shelf e-commerce platform

Ha, there you go again, thinking!

any consultant they hired

Ha Ha! Yea, like Justin is going to pay someone to tell him what he doesn't need to know?

I mean this in the kindest way, bless your heart! but are you smoking crack? </silliness>

Think Justin would spend any money that he doesn't see a direct benefit from? The cheapest and easiest solution for running his businesses are certainly the choices e is going to make. imo, don't assign to intelligence or thought that which can be explained by ignorance and laziness.

 

[Mannahnin]

I have no idea, but one possible explanation: The "webstore" isn't a normal webstore but just a submission form. They'd then run the credit cards manually through their point of sale system. It would be a cheaper way to do things since it would require not giving extra money to a third party processor or leasing a turnkey webstore solution. It's also insecure to the point of being possibly criminal. Again, I'm not saying this is what happened or that there's any evidence that this is what happened, just one possible explanation.

This is exactly what I assumed was going on when I saw the spreadsheet. I'm not in electronic payment processing/merchant acquiring anymore, and was never a technical expert even in the years I worked in that field, but this is definitely what it looks like to me.

If they were actually using a proper merchant acquirer/payment gateway on their website, they'd never even see those numbers. Last four digits of the card at most.

 

[lingual]

This is exactly what I assumed was going on when I saw the spreadsheet. I'm not in electronic payment processing/merchant acquiring anymore, and was never a technical expert even in the years I worked in that field, but this is definitely what it looks like to me.

If they were actually using a proper merchant acquirer/payment gateway on their website, they'd never even see those numbers. Last four digits of the card at most.

I played around with their site. Looks like they use a real service. Actually declined a fake card number!

 

[Cordwainer Fish]

I played around with their site. Looks like they use a real service. Actually declined a fake card number!

Lots of fake numbers can be detected algorithmically.

 

[Deset Gled]

I played around with their site. Looks like they use a real service. Actually declined a fake card number!

They have definitely updated. It appears they are now using Square for credit card transactions.

 

[lingual]

Lots of fake numbers can be detected algorithmically.

Oh it definitely sent requests to a server "squareup" - the error code was from there, not from some JavaScript.

 

[Nylanfs]

So did anything ever come of this release of info, I don't remember it tied into any of his cases.