NuTSR Financial Data Breach

The ongoing saga of “TSR3” continues as Justin LaNasa, owner of “TSR LLC”, allegedly stores and has emailed to others a spreadsheet containing customer financial information stored without any form of encoding or encryption.

tsr3.jpg

In a video released by Don Semora of Wizard Tower Games, Semora claims Justin LaNasa emailed him a spreadsheet in May 2022 that included financial information from customers and business partners including full names, email addresses, home addresses, phone numbers, and even credit card numbers, all stored in plain text with no encoding or encryption. This includes customers of TSR or Dungeon Hobby Shop’s webstores purchasing products including Cult of Abaddon, Dungeon Crawl: The Board Game, TSR Dice, and others.


Screenshots of the spreadsheet (with private information redacted) show up in the video starting at the nine minute mark.

Wizard Tower Games also commented in the EN World thread “The Full & Glorious History of NuTSR” offering to confirm if anyone’s personal information was part of the spreadsheet he received. According to David Flor, transactions with the companies are processed under the name “Port City Kava”, an oxygen bar and vape/ecig store run by Justin LaNasa in North Carolina.

For those unfamiliar with the Saga of the TSR Trademark, EN World has a timeline of events with links to more information going back to the start in June of 2021 and, at the time of writing, updated through July 22, 2022.

The video from Semora is the most recent entry in a back-and-forth between himself and LaNasa following a Twitter post from Wizard Tower Games on August 29 confirming the company received two subpoenas related to the lawsuit with Wizards of the Coast. Michael K. Hovermale, former employee of TSR LLC, confirmed he also received a subpoena related to the lawsuit and confirmed in a post on EN World that he retained all information from his time working for LaNasa and informed LaNasa of this in June of 2022. In a video titled “OPEN LETTER LANASA” posted on September 1, Don Semora says he received a text message from LaNasa accusing Semora and Hovermale of “photoshopping documents”. The video consists of Semora posting screenshots of documents he claims were sent to him from LaNasa. In response, LaNasa claimed the documents in the video were Photoshopped by posting his own screenshots and calling Semora a "liar" on social media including in the title of a channel on the TSR Discord server, according to a screenshot from the private server posted by Kim Wincen. Semora responded with the video posted earlier today containing the spreadsheet along with other screenshots.

The trial between TSR LLC, the Dungeon Hobby Shop Museum LLC, and Justin LaNasa v. Wizards of the Coast is scheduled for a jury trial in October 2023.
 

log in or register to remove this ad

Darryl Mott

Darryl Mott

Abstruse

Legend
This situation is monumentally stupid of them. If the FCC gets this one in their teeth, nuTSR is going to explode like the Death Star in the remastered versions of Star Wars.

I wonder: does the FCC has the power to issue a lifetime ban on handling/processing financial data? (Probably not, but one can hope.)
FTC (Federal Trade Commission) handles this. And while I don't believe the punishments include bans from handling financial information (it's why I didn't bring up the consequences in the article - I just don't know enough for sure about the specifics involved), it can include fines and other punishments if the breach is due to negligence. The credit card companies themselves are more likely to take direct action because they really don't like having to deal with the refunds involved in the case of fraud. The general rule of life is you can skirt whatever laws and regulations you want to so long as you do not #&%@ with a corporation's money.
 

log in or register to remove this ad


Dannyalcatraz

Schmoderator
Staff member
The credit card companies themselves are more likely to take direct action because they really don't like having to deal with the refunds involved in the case of fraud.
True. And while it may exist, I doubt they have a blackish either, based on my past experiences.
 

DLIMedia

David Flor, Darklight Interactive
Side note: This is the process TSR, LLC. and Dungeon Hobby Shop Museum, LLC. should be following: Data Breach Response: A Guide for Business
It's worth mentioning that the charges in question are actually not from "TSR LLC"... Justin's been using the merchant account of his oxygen bar in Wilmington, "Port City Kava", to handle all the card processing. It's also what appears as the account owner if you use PayPal.

For the record, "Port City Kava" has been administratively dissolved since 2020...

1662346559786.png


1662346577457.png


...so I'm not sure how legal him doing this actually is. Pretty sure the bank and card providers would be none too thrilled.
 


Abstruse

Legend
It's worth mentioning that the charges in question are actually not from "TSR LLC"... Justin's been using the merchant account of his oxygen bar in Wilmington, "Port City Kava", to handle all the card processing. It's also what appears as the account owner if you use PayPal.

For the record, "Port City Kava" has been administratively dissolved since 2020...

View attachment 260336

View attachment 260337

...so I'm not sure how legal him doing this actually is. Pretty sure the bank and card providers would be none too thrilled.
It's not unheard of. I know a lot of connected companies that use one of the companies as the designated "payment processor". I'm not sure how the organization works for something like that and whether or not LaNasa set it up properly. But considering his approach to data security, we can take a guess.

As far as the store, if it's still open then it's likely just converted from an LLC to a sole proprietorship. Which is going to be a problem not only in the WotC lawsuit since they've named LaNasa personally in their countersuit, but also if the FTC decides to levy fines.
 

Shakeshift

Adventurer
In my own experience, multiple people reporting and complaining about the problem REALLY seems to get the FTC and the credit card companies to take quick and painful action against the perpetrator. There's nothing like getting all your financial infrastructure yanked out from under your feet in a few hours.
I suggest everyone write in and complain about Justin Lanasa and his various holdings. They'll shut him down quickly if there are enough people who complain loudly enough. Sticking him in his financials is where it always does the most good. Nobody likes to be told by a bank that they're a high-risk threat, and their rights are being dialed back accordingly. Plus Justin's swagger mostly comes from having his money, which is as good of a way to deflate his ego as any.
 

Abstruse

Legend
In my own experience, multiple people reporting and complaining about the problem REALLY seems to get the FTC and the credit card companies to take quick and painful action against the perpetrator. There's nothing like getting all your financial infrastructure yanked out from under your feet in a few hours.
I suggest everyone write in and complain about Justin Lanasa and his various holdings. They'll shut him down quickly if there are enough people who complain loudly enough. Sticking him in his financials is where it always does the most good. Nobody likes to be told by a bank that they're a high-risk threat, and their rights are being dialed back accordingly.
I would advise making sure you have standing to report to the FTC before filing a report. If you've made a purchase from TSR or DHSM (whether you didn't know their reputation at the time or out of morbid curiosity or just to see if they actually had products to sell), you definitely should report your concerns to the FTC. If not, I'd recommend at the very least checking their FAQ before filing a report. I'm not sure if there are any penalties involved in filing reports if you're not directly or at least potentially affected by a data breach, so make sure that you can file a report before doing so.
 

Sacrosanct

Legend
Publisher
I suggest everyone write in and complain about Justin Lanasa and his various holdings.
For the record, I don't think we should be telling anyone to engage in activities that would negatively hurt him if they aren't directly an aggrieved party. And even then, the only advice we should give is to follow standard procedure.

The only people that should be doing anything with this are those who potentially have their personal data compromised, and then it should be registered through the various companies that own the credit/debit cards that were used.

By the book folks. Anything else helps his case of being a victim, and may in fact get you in trouble.
 

Shakeshift

Adventurer
I would advise making sure you have standing to report to the FTC before filing a report. If you've made a purchase from TSR or DHSM (whether you didn't know their reputation at the time or out of morbid curiosity or just to see if they actually had products to sell), you definitely should report your concerns to the FTC. If not, I'd recommend at the very least checking their FAQ before filing a report. I'm not sure if there are any penalties involved in filing reports if you're not directly or at least potentially affected by a data breach, so make sure that you can file a report before doing so.
Of course. I would never suggest filing out of spite, but if your data is out there make sure that you report it ASAP.
 

Abstruse

Legend
Journalist hat on

And according to Don Semora, he is sending out emails to everyone whose information he has in the spreadsheet informing them of the data breach.

And also according to Semora, LaNasa is sending a reply email to everyone claiming it's not true, the only data breach was Semora having their contact information, and claiming that Semora is a liar, grifter, and conman. This is despite earlier this week Semora reportedly sending LaNasa a cease and desist notification demanding a retraction of the various claims LaNasa has made against him.
 


Michael Linke

Adventurer
I'll post this here as well



He, as a merchant, is allowed to store:
  • The primary account number (PAN);
  • The cardholder’s name;
  • The service code;
  • The card’s expiration date.

He is NOT allowed (per the Payment Card Industry Security Standards Council (PCI SSC):

Based on the info you gave so far, I highly recommend anyone who used a credit or debit card report this breach to their issuing company. As mentioned above, they can face serious penalties by doing this, including an audit by the FTC if it's egregious.
He’s not required to be PCI compliant. If he IS PCI compliant, he would have less liability in the event of a data breach, but there’s no law saying they have to comply.
 

RFB Dan

Podcast host, 6-edition DM, and guy with a pulse.
It's worth mentioning that the charges in question are actually not from "TSR LLC"... Justin's been using the merchant account of his oxygen bar in Wilmington, "Port City Kava", to handle all the card processing. It's also what appears as the account owner if you use PayPal.

For the record, "Port City Kava" has been administratively dissolved since 2020...

View attachment 260336

View attachment 260337

...so I'm not sure how legal him doing this actually is. Pretty sure the bank and card providers would be none too thrilled.

I can't help but think that Justin is using this LLC in order to not only hide financials from the IRS & State of NC (and WI), but to also hide any profits he may have had to pay out to Ernie. Furthermore, this may be in the jurisdiction of FinCEN.
 


Michael Linke

Adventurer
The FTC, and federal law, don't enforce PCI compliance. Yes, the credit card company will require merchants to be compliant to do business. As far as I'm aware there's no specific regulatory punishment in being non-compliant, other than the inherent vulnerability of not being compliant, and the fines and costs that go along with having a breech occur. His merchant accounts for receiving credit card payments will likely get suspended if this turns out to be true, but that has anything to do with the FTC.

The issue here isn't PCI compliance, though. He could have been non-compliant, but also careful and discreet with the data he did have. This is an allegation of him wantonly exposing customer data. THAT part is what is going to get him in more trouble beyond just loss of payment processing services.
 

Wizard Tower Games

Publisher of coll games
This happened in MAY?

I haven't watched the video - does it give any explanation for why it's now September and the alarm is only just now getting raised?
We can easily reply to this.

We since the first part of the year have gotten dozens of emails from TSR. When we got the initial customer listing email from them we let them know, they indicated they simply did not care.

However this one email with the Excel document when we got it we actually were not aware of exactly what it was. We figured just more data dumps from Lanasa. However once we got our subpoenas we began of course complying, pulling, printing, copying emails and that is when we noticed that this was in fact the info we made a video about.

He sent yesterday after our video, an email saying we do not have any info on credit cards or how people paid. So he is splitting hairs here, even if the manner of payment was removed. He would still be giving to people all of your info, address, phone numbers, names, what you ordered, what you paid, how much you paid. So he can split hairs, however at the end of the day it is exactly what it is.

We have since finding out we had this, been in contact with the proper authorities on this, and are working with them to ensure this data is dealt with properly, legally and the way it should be.
 

Wizard Tower Games

Publisher of coll games
The email we sent out to all customers in the spreadsheet.
d1.jpg



And this is his email responding to our email, as you can see he is rage capping the title of the email, desperate to tell people to not listen to us we are lying. No Justin... Not lying, you are not going to manipulate your way out of this one. Wizard Grifter Games? He is trying to use @tenkar material on this one. Erik if you see this, it seems Lanasa admires your work.

d2.jpg
 

Sacrosanct

Legend
Publisher
The FTC, and federal law, don't enforce PCI compliance. Yes, the credit card company will require merchants to be compliant to do business.
I don't think anyone said the FTC regulates it; we've been talking about how if they aren't, they lose their ability to use that service (i.e., MC and Visa mandate it). So when you quoted me saying it's not required, it threw me off because I was talking about from MC/Visa, not FTC. I was only talking about FTC in the context of how he's handling the breach.
 

Faolyn

(she/her)
The email we sent out to all customers in the spreadsheet.
View attachment 260412


And this is his email responding to our email, as you can see he is rage capping the title of the email, desperate to tell people to not listen to us we are lying. No Justin... Not lying, you are not going to manipulate your way out of this one. Wizard Grifter Games? He is trying to use @tenkar material on this one. Erik if you see this, it seems Lanasa admires your work.

View attachment 260414
I have to say that if I got one email from Person A saying "These people have spread your credit card info into the wild" and an email from Person B saying "NO I DON'T HE'S LYING," the very first thing I'd do is check with my credit card company to see if it had been misused, and then cancel the card and get a new one. Either Person A actually is lying and has a grudge, in which case for all I know they may be trying to spread my info to incriminate Person B, or Person B is lying and there was a breach. And in both cases, better safe than sorry.
 

Related Articles

Visit Our Sponsor

An Advertisement

Advertisement4

Top