A lawsuit filed by the former information security director of Linden Lab—the company behind the online virtual world Second Life, which, yes, is still a thing—claims the company mishandled sensitive user data and turned a blind eye to simulated acts of child molestation and the potential for money laundering.

Paris Martineau covers platforms, online influence, and social media manipulation for WIRED.

In a lawsuit filed in San Francisco County Superior Court on July 30 and served to Linden Lab on Tuesday, Kavyanjali Pearlman, a security researcher who joined Linden Lab from Facebook in 2017, says that she raised these issues during her tenure, and was met with hostility. The suit alleges company executives retaliated against her for flagging cybersecurity risks and potential violations of anti-money-laundering laws, child exploitation, and data misuse.

Pearlman claims the company discriminated against her as a woman, an Indian immigrant, and a Muslim. “After making her concerns known, [she] was treated worse than similarly situated employees who were not immigrant women of color, who were not religiously Muslim and wore a hijab,” says the suit. “Instead of looking into Pearlman’s complaints, Linden Lab’s senior officers led a campaign of retaliation against her, painting her as an inept employee who has issues with communication, and ultimately terminating her employment in March of 2019.”

“While we will fight her alleged claims in court, we deny any allegations that the company has engaged in any illegal activity,” said Linden Lab spokesperson Brett Atwood. “Ms. Pearlman left the company on March 15 only after she was given the opportunity to improve her work performance. We look forward to all the facts coming out in a court of law,” he said, declining additional comment because of the lawsuit.

Linden Lab is best known for Second Life, the massively multiplayer virtual world launched in 2003, which boasted around a million regular users at its peak, and an estimated 800,000 active monthly users as of 2017. Those numbers are paltry compared with today’s social media giants, but it’s still a sizable chunk of people.

A decade ago, Second Life was populated mostly by futurists, brands, and, for some reason, embassies; today, the virtual world occupies a more niche space online. Much of Second Life revolves around the Linden Dollar, a virtual currency with real cash value that is used to buy and sell in-game items, virtual land, and operate or play at virtual “skill gaming” casinos. In 2018, approximately $65 million was paid out to Second Life users for a variety of virtual goods and services. Gaming—including both free-to-play games and “skill” games that offer payouts—was the most popular activity among users, according to Linden Lab.

Last October, Pearlman says she raised concerns with Linden Lab executives that the company was not complying with anti-money-laundering rules, including not required information about the operators of skill games, according to the lawsuit. She says her concerns were dismissed, and that the issues had yet to be addressed by Linden Lab when she left the company in March.

Atwood, of Linden Lab, declined to comment when asked about the accuracy of Pearlman’s description of events. “All Second Life skill gaming operators must provide and verify their identification as part of a rigorous application process,” Atwood told WIRED over email. “We are in compliance with all legal regulations and all skill gaming operators agree to our Terms & Conditions as part of the review and approval process for our Skill Gaming program.”

In the suit, Pearlman claims that the user payment information collected by Linden Lab and “Second Life customer data” wasn’t secure, and that her attempts to correct even the most glaring security issues were met with hostility. In September 2018, Pearlman says she alerted multiple members of the IT team and executive board that payment information was accessible by employees from other parts of the company, and that outside contractors were gaining access to support tools that gave them unfettered access to private user data, according to the lawsuit.