Video game company Epic Games has come under fire for accidentally sending the personal information of one of its users to a “random person”.
The blunder occurred after one Epic Games user submitted a request for the information that the company holds on them under the European Union’s General Data Protection Regulation (GDPR) laws. This included their real name, email address, IP address, purchase history and purchase details.
GDPR states that companies must respond to such requests within a month of receipt or face a fine from data regulation authorities. A Hungarian firm was fined approximately $3,100 for denying a right of access request in February, for example. Regulators are able to apply fines of up to €20m or 4% of global annual turnover for breach of GDPR laws.
In this case, Epic Games, which makes the popular game Fortnite, did comply with the request. However, according to Reddit user TurboToast3000, they also send the requested information to another Epic Games user.
According to the user, Epic emailed him to apologise for the “human error” that led to the blunder, confirming that a player support representative had mistakenly sent the requested information to another player. The email reportedly read:
“We regret to inform you that, due to human error, a player support representative accidentally also sent the information you requested to another player. We quickly recognized this mistake and followed up with the player and they confirmed they deleted it from their local machine.
“We regret this error and can’t apologize enough for this mistake. As a result, we’ve already begun making changes to our process to ensure this doesn’t happen again.”
Has Epic Games breached GDPR?
While individual that received the information has insisted that they removed it from their system, this would still likely count as a data breach.
According to the United Kingdom’s Information Commissioner’s Office (ICO), under GDPR law, a personal data breach occurs “whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable”.
Epic Games did inform the individual whose data was compromised within 72 hours of the incident. However, the company is also required to notify European data protection authorities that a breach has occurred.
Epic Games has yet to confirm that a breach occurred, or whether it has notified the relevant authorities. Verdict has reached out for comment and will update if a response is received.
Epic Games’ Questionable GDPR compliance
This isn’t the first time that Epic Games has received criticism for GDPR compliance.
Most notably, the policy stated that users agreed to allow Epic to share its personal details with advertisers, with limited ability to opt out of this.
Under GDPR, those collecting data must inform users of the “nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer”. The user must also show “clear affirmative action” to opt in to the collection of their data.