After an already disastrous week with issues arising from the Epic Mega Sale on the Epic Game Store, Epic Games are now being accused of sending personal information to the wrong person.

A user on Reddit going by the name “TurboToast3000” made a post to the “r/fuckepic” subreddit. He created a thread titled “They literately sent my personal info to a random person. The info I requested with gdpr“, along with the above picture allegedly being Epic’s message to them. In case you cannot read it or are utilizing text translation, it states:

“Hello [Redacted], We regret to inform you that, due to human error, a player support representative accidentally also sent the information you requested to another player. We quickly recognized this mistake and followed up with the player and they confirmed that they deleted it from their local machine. We regret this error and can’t apologize enough for this mistake. As a result, we’ve already begun making changes to our process to ensure this doesn’t happen again. Thanks for your understanding.”

The user then followed up his initial post with more information. They claim they had made a GDPR request for what personal information Epic Games collected, most likely through Fortnite or the Epic Games Store. They state the alleged personal information included “my address, my name, my purchase history and my purchase info.” They also state their dissatisfaction they they “just get sorry. And after that they have the guts to ask if I was happy with there [sic] service.”

The user also edited their posting adding “I forgot that it also included my ip address.” When replying to others, the user also stated other private information included the type of transaction, payment method, and IP addresses for the transaction and country.

TurboToast3000 caps off his post with clear dissatisfaction and a vow not to use their services again:

“But this goes to far. I am done with very not epic games.”

UPDATE: In addition, TurboToast3000 claims he was contacted by the individual who received their information after they brought attention to the issue on Reddit. The alleged message claimed Epic had only acted after the individual notified them that the information had been sent to the wrong person:

“I got an email from epic yesterday. After that I went to reddit to let everyone know and after a few hours came a DM from someone who said they recived [sic] the email. WITH PROOF he showed that epic games sent him the email and he reported it because of that I was notified. So epic did oopsie kind sir reported it and at last I knew about it. “

Replying to other users, TurboToast3000 confirmed they would be looking into reporting them for the breach. While others encouraged them to sue, they explained “You don’t sue were I live. All I need to do is report it to the correct authorities.”

The same post was also made by the user on the r/PCGaming Subreddit. There and in the original r/fuckepic thread, user “arctyczyn”- an alleged Epic Games representative- replied. While they apologized again, they disputed what alleged information had been shared:

As mentioned in the message that was screencapped, this was a result of a regrettable error that we are owning, and we notified you as soon as we could. However, the information in the report doesn’t include your mailing address, your birthday, nor your details of your payment methods.

If the accusation itself is true, that means TurboToast3000 received his GDPR request for collected personal information. Therefore, they would know exactly what someone else had received if an exact duplicate had been sent to another person.

Due to GDPR (General Data Protection Regulation) being part of EU law, we suspect this means the user is based somewhere in Europe. While their exact location is unknown (except to whoever allegedly got their personal information) the punishment for such a breach could be immense irrelevant of the country. The GDPR official website FAQ notes the penalties for non-compliance:

“Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.”

We will keep you updated as we learn more.