Handout B: Backup Failure and Data Transfer Correlation
Compiled by infrastructure and network teams during recovery planning at the hospital.
Backup and Exfiltration Timeline
Backup Replication Log
2026-03-06 18:37 - replication_status=FAILED node=backup-02
2026-03-06 18:38 - checksum_mismatch volume=clinical-archive
2026-03-06 18:40 - last_immutable_snapshot=2026-02-21T02:15:00Z
---
Network Transfer Summary
Window: prior 21 days
Total outbound transfer: 2.8 TB
Top destination: 203.0.113.77:8443
Secondary destination: 198.51.100.19:443
DNS queries observed: secure-sync.example, portal-update.exampleIM NOTES (Do Not Show to Players):
- Backup failure and stale immutable snapshot explain recovery uncertainty.
- Outbound volume over three weeks indicates staged data theft before outage.
- Destination infrastructure uses TEST-NET addresses and .example domains for safe simulation.
Key Discovery Questions
- How does this artifact change restoration strategy?
It supports phased recovery with aggressive validation instead of full immediate restore.
- What does the transfer window imply for legal response?
Data exposure likely predates outage by weeks, so notification scope should include historical records in that period.
IM Facilitation Notes
- Release after participants ask about backup viability or data theft confirmation.
- Use this handout to drive discussion on recovery confidence versus speed.