FACUA reports Epic Games to the AEPD for a potential data leak among Fortnite users

Certain flaws in the video game's system allow personal information on users' accounts to be accessed, including their bank details and conversations.

FACUA reports Epic Games to the AEPD for a potential data leak among Fortnite users

FACUA- Consumers in Action has reported US company Epic Games to the Spanish Data Protection Agency (AEPD, according to its initials in Spanish), for a potential data leak among users of its video game, Fortnite.

As reported by a number of news organisations, cybersecurity company CheckPoint has revealed a series of flaws in the video game's system, which allow third parties to access users' personal information, including bank details, and be able to hear private conversations taking place on the platform.

So just with players being a victim of phishing, which is to say that they had clicked on a fraudulent link simulating the video game, the users' information could have been exposed, due to a flaw related to the tokens (unique identifiers) used to access accounts.

FACUA stresses that EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, states that personal data should be "processed in a manner that ensures appropriate security" including "protection against unauthorised or unlawful processing and against accidental loss, destruction or damage".

What's more, article 6 of the same regulation lays out that said processing shall only be lawful if "the data subject has given consent to the processing of his or her personal data for one or more specific purposes", among other conditions.

Similarly, article 32 of the same regulation dictates that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk", among others "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services".

Finally, the association also states that, given the large number of people who could be affected, given that Fortnite is a video game with global reach, this breach of data protection regulation has a large scope, and the AEPD should bear this in mind when setting a penalty.

The EU Regulation 2016/679 sets out that fines be imposed, taking into account among other factors "the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them", setting fines to apply of "20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher".