NuTSR Financial Data Breach

The ongoing saga of “TSR3” continues as Justin LaNasa, owner of “TSR LLC”, allegedly stores and has emailed to others a spreadsheet containing customer financial information stored without any form of encoding or encryption.

tsr3.jpg

In a video released by Don Semora of Wizard Tower Games, Semora claims Justin LaNasa emailed him a spreadsheet in May 2022 that included financial information from customers and business partners including full names, email addresses, home addresses, phone numbers, and even credit card numbers, all stored in plain text with no encoding or encryption. This includes customers of TSR or Dungeon Hobby Shop’s webstores purchasing products including Cult of Abaddon, Dungeon Crawl: The Board Game, TSR Dice, and others.


Screenshots of the spreadsheet (with private information redacted) show up in the video starting at the nine minute mark.

Wizard Tower Games also commented in the EN World thread “The Full & Glorious History of NuTSR” offering to confirm if anyone’s personal information was part of the spreadsheet he received. According to David Flor, transactions with the companies are processed under the name “Port City Kava”, an oxygen bar and vape/ecig store run by Justin LaNasa in North Carolina.

For those unfamiliar with the Saga of the TSR Trademark, EN World has a timeline of events with links to more information going back to the start in June of 2021 and, at the time of writing, updated through July 22, 2022.

The video from Semora is the most recent entry in a back-and-forth between himself and LaNasa following a Twitter post from Wizard Tower Games on August 29 confirming the company received two subpoenas related to the lawsuit with Wizards of the Coast. Michael K. Hovermale, former employee of TSR LLC, confirmed he also received a subpoena related to the lawsuit and confirmed in a post on EN World that he retained all information from his time working for LaNasa and informed LaNasa of this in June of 2022. In a video titled “OPEN LETTER LANASA” posted on September 1, Don Semora says he received a text message from LaNasa accusing Semora and Hovermale of “photoshopping documents”. The video consists of Semora posting screenshots of documents he claims were sent to him from LaNasa. In response, LaNasa claimed the documents in the video were Photoshopped by posting his own screenshots and calling Semora a "liar" on social media including in the title of a channel on the TSR Discord server, according to a screenshot from the private server posted by Kim Wincen. Semora responded with the video posted earlier today containing the spreadsheet along with other screenshots.

The trial between TSR LLC, the Dungeon Hobby Shop Museum LLC, and Justin LaNasa v. Wizards of the Coast is scheduled for a jury trial in October 2023.
 

log in or register to remove this ad

Darryl Mott

Darryl Mott

Dioltach

Legend
I have to say that if I got one email from Person A saying "These people have spread your credit card info into the wild" and an email from Person B saying "NO I DON'T HE'S LYING," the very first thing I'd do is check with my credit card company to see if it had been misused, and then cancel the card and get a new one. Either Person A actually is lying and has a grudge, in which case for all I know they may be trying to spread my info to incriminate Person B, or Person B is lying and there was a breach. And in both cases, better safe than sorry.
If Person A is lying but you believe them, the worst that can happen is that you've spent time and effort blocking your card and getting a new one. If Person A is telling the truth but you believe Person B, well ... I know which course of action I'd take.
 

log in or register to remove this ad





Dioltach

Legend
Actually, a "personal data breach" under the GDPR means a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

But regardless, the GDPR only applies in the EU, not the US. (Unless the US also has one that I've never heard of?)
 

Wizard Tower Games

Publisher of coll games
This was posted also in the main TSR thread.

As of this morning. September 6, 2022 I have made certain videos private. I have done this to number one preserve them, and number two as I have been asked to do so by those far above my pay grade.

I also will be updating via video about this mess, as very quickly this morning very good things happened, and there is now a dedicated concerted effort to ensure that the truth is maintained, facts and evidence are not deleted or altered and certain persons we shall refer to him as "Vodermort 2.0" is dealt with in a manner that is legal, proper and fair.

The systematic deletion of Discord information this weekend by Voldermort 2.0 has been documented and validated very quickly. Discord does not mess around to official requests.
 



BrontideTheBold

First Post
After reading all this mess, I'd hate to give these folks 1 red cent but... Can't someone "buy" TSR from these jokers and do something constructive with it? It's a shame to let a mark with its weight and legacy to be trapped by people like this.
 

Sacrosanct

Legend
Publisher
After reading all this mess, I'd hate to give these folks 1 red cent but... Can't someone "buy" TSR from these jokers and do something constructive with it? It's a shame to let a mark with its weight and legacy to be trapped by people like this.
No, mostly because as soon as the court case is resolved, we'll all see how they never owned TSR to begin with. Can't buy something from someone when they don't own it to begin with.
 

Dausuul

Legend
After reading all this mess, I'd hate to give these folks 1 red cent but... Can't someone "buy" TSR from these jokers and do something constructive with it? It's a shame to let a mark with its weight and legacy to be trapped by people like this.
I believe that's what Wizards is doing, except that instead of giving the money to NuTSR, they are giving it to their lawyers to take NuTSR to the cleaners.
 

Abstruse

Legend
After reading all this mess, I'd hate to give these folks 1 red cent but... Can't someone "buy" TSR from these jokers and do something constructive with it? It's a shame to let a mark with its weight and legacy to be trapped by people like this.
One screenshot from a text conversation with LaNasa indicates that his goal was to squat the trademark and get Wizards of the Coast to pay him $100 million for it (not kidding, he said he expected that much). It's led to speculation that pretty much everything else he's been doing in terms of social media and public relations has been for the sole purpose of dragging the TSR name through the mud to force WotC to pay him to go away.

As soon as the countersuit was filed, that should have been an indication that's not going to happen because they are going to take him to the cleaners. And since he's named personally in the countersuit, he doesn't have the legal shield of the LLCs to protect him.
 

AncientPenguin

Social Distancing Expert™
Yeah, a data breach involves a private server getting illegally hacked.

This was like Apple getting “breached” by directly emailing customers and sending them the credit card details and personal information of other customers.
Data Protection consultant here - this is, factually, a breach.

Merchants can store credit card information. However, that data must be encrypted (PCI DSS Rule 3.1).

This paste-eating mouth-breather, opted not only to store payment information, but he sent it out 1) Unencrypted and 2) without any kind of data retention policy or protective controls in-place.

Just getting far enough down in the thread - @Sacrosanct summed it up well.
 

darjr

I crit!
Data Protection consultant here - this is, factually, a breach.

Merchants can store credit card information. However, that data must be encrypted (PCI DSS Rule 3.1).

This paste-eating mouth-breather, opted not only to store payment information, but he sent it out 1) Unencrypted and 2) without any kind of data retention policy or protective controls in-place.

Just getting far enough down in the thread - @Sacrosanct summed it up well.
So how bad is this? What kind of trouble does LeNasa face?
 

Sacrosanct

Legend
Publisher
So how bad is this? What kind of trouble does LeNasa face?
Every scenario is different, mind you, and we don't know the extent of the breach. Just based on what I know, he's looking at losing his ability to process credit/debit card payments through Visa/MC. Maybe fines. But the most egregious thing I can see is his response to customers when it was revealed they had a breach of personal financial data. That blows my mind and goes beyond simple deceit. And that's the part that might get the attention of the FTC. Everything else seems like it would be handled by Visa/MC directly. But what he did after? If he were a big company, it would be fine city.
 

AncientPenguin

Social Distancing Expert™
So how bad is this? What kind of trouble does LeNasa face?
That's a bit more complicated.

He potentially faces fines for being in violation of PCI-DSS and that can pile up. A lot.

Then he's got trouble from Credit Card and CC processing companies.

If he gets charged per-record, depending on the size of the Excel file, it could be 'death by a thousand cuts' with each record being $75-100.

And this is purely my assertion: if he's been this irresponsible with securing sensitive data, what other stupid fuckery has he done that hasn't been exposed. It's not a stretch or a flight of hyperbole to think that there's probably a lot more going on that's either questionable or potentially illegal from a business practice standpoint.

I've seen small-ish companies get hit with $80-90k fines for being out of compliance for 6 or so months and then sink further into the mud when reputational business dries up because of poor data stewardship. Then there's the legal costs to address this.

All in all, this isn't good for NuTSR.
 

Just based on what I know, he's looking at losing his ability to process credit/debit card payments through Visa/MC.

That's a bit more complicated.
...
All in all, this isn't good for NuTSR.

Does anyone know if/how this is likely to affect his other businesses? It looks like the data breach is all from the DHSM website. Will this have any effect on Hardwire Tattoo, Museum of the Bizarre, or Port City Vapor?
 

AncientPenguin

Social Distancing Expert™
Does anyone know if/how this is likely to affect his other businesses? It looks like the data breach is all from the DHSM website. Will this have any effect on Hardwire Tattoo, Museum of the Bizarre, or Port City Vapor?
If the same payment processor is spread across those other businesses, it's wholly within the realm of possibility that they'll drop him like a hot rock.

Additionally, a lot of other processors may not onboard him because of the lack of PCI compliance. That can lead to going with far riskier entities to process CC data with higher percentages and other concerns - all of which lead to that whole 'death of a thousand cuts'
 

Faolyn

(she/her)
Does anyone know if/how this is likely to affect his other businesses? It looks like the data breach is all from the DHSM website. Will this have any effect on Hardwire Tattoo, Museum of the Bizarre, or Port City Vapor?
Could it lead to an investigation of how he handled their finances? I have no idea if this would cause the IRS or whomever to examine other businesses he owns, but I can't also imagine that he's any more careful in how he handles them. Except those businesses might be well-off enough that he has someone else handle the finances.
 

Related Articles

Visit Our Sponsor

An Advertisement

Advertisement4

Top