NuTSR Financial Data Breach

The ongoing saga of “TSR3” continues as Justin LaNasa, owner of “TSR LLC”, allegedly stores and has emailed to others a spreadsheet containing customer financial information stored without any form of encoding or encryption.

In a video released by Don Semora of Wizard Tower Games, Semora claims Justin LaNasa emailed him a spreadsheet in May 2022 that included financial information from customers and business partners including full names, email addresses, home addresses, phone numbers, and even credit card numbers, all stored in plain text with no encoding or encryption. This includes customers of TSR or Dungeon Hobby Shop’s webstores purchasing products including Cult of Abaddon, Dungeon Crawl: The Board Game, TSR Dice, and others.

​

Screenshots of the spreadsheet (with private information redacted) show up in the video starting at the nine minute mark.

Wizard Tower Games also commented in the EN World thread “The Full & Glorious History of NuTSR” offering to confirm if anyone’s personal information was part of the spreadsheet he received. According to David Flor, transactions with the companies are processed under the name “Port City Kava”, an oxygen bar and vape/ecig store run by Justin LaNasa in North Carolina.

For those unfamiliar with the Saga of the TSR Trademark, EN World has a timeline of events with links to more information going back to the start in June of 2021 and, at the time of writing, updated through July 22, 2022.

The video from Semora is the most recent entry in a back-and-forth between himself and LaNasa following a Twitter post from Wizard Tower Games on August 29 confirming the company received two subpoenas related to the lawsuit with Wizards of the Coast. Michael K. Hovermale, former employee of TSR LLC, confirmed he also received a subpoena related to the lawsuit and confirmed in a post on EN World that he retained all information from his time working for LaNasa and informed LaNasa of this in June of 2022. In a video titled “OPEN LETTER LANASA” posted on September 1, Don Semora says he received a text message from LaNasa accusing Semora and Hovermale of “photoshopping documents”. The video consists of Semora posting screenshots of documents he claims were sent to him from LaNasa. In response, LaNasa claimed the documents in the video were Photoshopped by posting his own screenshots and calling Semora a "liar" on social media including in the title of a channel on the TSR Discord server, according to a screenshot from the private server posted by Kim Wincen. Semora responded with the video posted earlier today containing the spreadsheet along with other screenshots.

The trial between TSR LLC, the Dungeon Hobby Shop Museum LLC, and Justin LaNasa v. Wizards of the Coast is scheduled for a jury trial in October 2023.

 

[Abstruse]

Journalist hat on

And according to Don Semora, he is sending out emails to everyone whose information he has in the spreadsheet informing them of the data breach.

And also according to Semora, LaNasa is sending a reply email to everyone claiming it's not true, the only data breach was Semora having their contact information, and claiming that Semora is a liar, grifter, and conman. This is despite earlier this week Semora reportedly sending LaNasa a cease and desist notification demanding a retraction of the various claims LaNasa has made against him.

 

[Dannyalcatraz]

The longer this goes on, the more I think it’s like this…

Lawyer to J. LaN: “Stop digging holes in your legal cases!”

J. LaN to Lawyer: “Here’s my shovel.”

Lawyer to J. LaN: “Thanks. Ummmm…where are you going?”

J. LaN to Lawyer: “Gotta go rent a backhoe.”

 

[Michael Linke]

I'll post this here as well



He, as a merchant, is allowed to store:

• The primary account number (PAN);
• The cardholder’s name;
• The service code;
• The card’s expiration date.

He is NOT allowed (per the Payment Card Industry Security Standards Council (PCI SSC):

• The full contents of a card’s magnetic stripe data, including data from EMV chips;
• The security code (knowns as the CVV or CVV2);
• The personal identification number (PIN).

Based on the info you gave so far, I highly recommend anyone who used a credit or debit card report this breach to their issuing company. As mentioned above, they can face serious penalties by doing this, including an audit by the FTC if it's egregious.

He’s not required to be PCI compliant. If he IS PCI compliant, he would have less liability in the event of a data breach, but there’s no law saying they have to comply.

 

[RFB Dan]

It's worth mentioning that the charges in question are actually not from "TSR LLC"... Justin's been using the merchant account of his oxygen bar in Wilmington, "Port City Kava", to handle all the card processing. It's also what appears as the account owner if you use PayPal.

For the record, "Port City Kava" has been administratively dissolved since 2020...

View attachment 260336

View attachment 260337

...so I'm not sure how legal him doing this actually is. Pretty sure the bank and card providers would be none too thrilled.

I can't help but think that Justin is using this LLC in order to not only hide financials from the IRS & State of NC (and WI), but to also hide any profits he may have had to pay out to Ernie. Furthermore, this may be in the jurisdiction of FinCEN.

 

[Sacrosanct]

He’s not required to be PCI compliant. If he IS PCI compliant, he would have less liability in the event of a data breach, but there’s no law saying they have to comply.

Yes he is. As long as he accepts visa or Mastercard methods of payment, he is required to be PCI compliant.

 

[Michael Linke]

The FTC, and federal law, don't enforce PCI compliance. Yes, the credit card company will require merchants to be compliant to do business. As far as I'm aware there's no specific regulatory punishment in being non-compliant, other than the inherent vulnerability of not being compliant, and the fines and costs that go along with having a breech occur. His merchant accounts for receiving credit card payments will likely get suspended if this turns out to be true, but that has anything to do with the FTC.

The issue here isn't PCI compliance, though. He could have been non-compliant, but also careful and discreet with the data he did have. This is an allegation of him wantonly exposing customer data. THAT part is what is going to get him in more trouble beyond just loss of payment processing services.

 

[Wizard Tower Games]

This happened in MAY?

I haven't watched the video - does it give any explanation for why it's now September and the alarm is only just now getting raised?

We can easily reply to this.

We since the first part of the year have gotten dozens of emails from TSR. When we got the initial customer listing email from them we let them know, they indicated they simply did not care.

However this one email with the Excel document when we got it we actually were not aware of exactly what it was. We figured just more data dumps from Lanasa. However once we got our subpoenas we began of course complying, pulling, printing, copying emails and that is when we noticed that this was in fact the info we made a video about.

He sent yesterday after our video, an email saying we do not have any info on credit cards or how people paid. So he is splitting hairs here, even if the manner of payment was removed. He would still be giving to people all of your info, address, phone numbers, names, what you ordered, what you paid, how much you paid. So he can split hairs, however at the end of the day it is exactly what it is.

We have since finding out we had this, been in contact with the proper authorities on this, and are working with them to ensure this data is dealt with properly, legally and the way it should be.

 

[Wizard Tower Games]

The email we sent out to all customers in the spreadsheet.

And this is his email responding to our email, as you can see he is rage capping the title of the email, desperate to tell people to not listen to us we are lying. No Justin... Not lying, you are not going to manipulate your way out of this one. Wizard Grifter Games? He is trying to use @tenkar material on this one. Erik if you see this, it seems Lanasa admires your work.

 

[Sacrosanct]

The FTC, and federal law, don't enforce PCI compliance. Yes, the credit card company will require merchants to be compliant to do business.

I don't think anyone said the FTC regulates it; we've been talking about how if they aren't, they lose their ability to use that service (i.e., MC and Visa mandate it). So when you quoted me saying it's not required, it threw me off because I was talking about from MC/Visa, not FTC. I was only talking about FTC in the context of how he's handling the breach.

 

[Faolyn]

The email we sent out to all customers in the spreadsheet.
View attachment 260412


And this is his email responding to our email, as you can see he is rage capping the title of the email, desperate to tell people to not listen to us we are lying. No Justin... Not lying, you are not going to manipulate your way out of this one. Wizard Grifter Games? He is trying to use @tenkar material on this one. Erik if you see this, it seems Lanasa admires your work.

View attachment 260414

I have to say that if I got one email from Person A saying "These people have spread your credit card info into the wild" and an email from Person B saying "NO I DON'T HE'S LYING," the very first thing I'd do is check with my credit card company to see if it had been misused, and then cancel the card and get a new one. Either Person A actually is lying and has a grudge, in which case for all I know they may be trying to spread my info to incriminate Person B, or Person B is lying and there was a breach. And in both cases, better safe than sorry.