Some League of Legends players received sensitive private information that belonged to other people earlier this week due to errors by Riot, makers of the internationally acclaimed multiplayer game. Instead of getting access to their own requested account info, several received phone numbers, email addresses, and detailed player histories of other people. A Riot representative wrote on Reddit that this was a rare occurrence that it is trying to avoid in the future.
The issue emerged when a gamer calling themselves ZainTheOne posted on the League of Legends subreddit about receiving a zip file of personal information belonging to someone else. League of Legends players can request a complete overview of their account info, including contact information and their activity on the game’s servers, by submitting a ticket after which the company has 30 days to send it per Europe’s recently-introduced GDPR guidelines (General Data Protection Regulation). At the end of this time period, after still not receiving their info, ZainTheOne reached out to Riot, after which point the wrong zip file was sent to them.
“I just sent them email [sic] that this isn’t my account data and yet to hear a reply,” the Reddit user wrote in the post. “Either way this is a serious issue because if i have someone else[‘s] account data who has mine?” Not long after, ZainTheOne received an email from Riot Player Support, which they shared in a screenshot, apologizing for the error and assuring them that their info had not mistakenly been shared with anyone else.
Three other users came forward in the comments on ZainTheOne’s post to say that they too had received other people’s account info. The player whose info ZainTheOne mistakenly received also commented and said they were glad it was a honest person who received it and not someone malicious.
More recently, a representative for Riot Play Support responded directly to the Reddit thread to try and explain what had happened. “Normally, data requests like these are handled by an automated system,” the representative wrote. “In this case it was handled manually, and through human error the wrong file was sent to the wrong player.”
They went on:
“Most importantly, we’ve gone through every other request that was answered manually and can confirm that this was an incredibly rare incident. We’ve individually contacted the few players affected.”
According to the representative, manual reviews of the kind that apparently led to these incidents have been “paused,” and Riot’s investigation so far hasn’t found any issues with its automated process. Riot did not immediately respond to a request by Kotaku for more clarification on what went wrong and exactly how many people may have been affected.
The incident does point to some of the difficulties internet-based companies are experiencing as they implement new systems to be compliant with GDPR. The guidelines require companies operating in Europe to keep customers’ information more secure, but also be more transparent and forthcoming about letting those customers access it.