Handout A: DSAR Request Samples
Five samples from the 200+ Data Subject Access Requests (DSARs) received this week. Examine them for patterns and anomalies.
DSAR #047 โ Appears Routine
| Field | Value |
|---|---|
| From: | marcus.chen.gaming@gmail.com |
| To: | privacy@chimera-interactive.com |
| Date: | Tuesday, 9:14 AM |
| Subject: | Data Subject Access Request - Marcus Chen |
Hello,
I am writing to request access to any personal data you hold about me under my rights as a data subject. My account username is MarcusChen_TTV and I believe I registered with this email address in 2022.
Please provide all data associated with my account including purchase history, gameplay data, and any communications.
I have attached a copy of my driverโs license for identity verification.
Thank you for your assistance. Marcus Chen
๐ Attachment: marcus_chen_id.pdf (412 KB)
IM NOTES (Do Not Show to Players): This one is probably legitimate. Normal phrasing, reasonable request scope, standard ID verification. Use as baseline comparison.
DSAR #089 โ Unusual Specificity
| Field | Value |
|---|---|
| From: | j.davidson_privacy@protonmail.com |
| To: | privacy@chimera-interactive.com |
| Date: | Tuesday, 2:47 PM |
| Subject: | GDPR Article 15 Request - Complete Data Export |
To Whom It May Concern,
Pursuant to Article 15 of the General Data Protection Regulation, I hereby request access to all personal data concerning me that your organization processes.
Specifically, I request the following information:
- All personal data held about me across all systems
- The purposes of processing for each data category
- The categories of recipients to whom data has been disclosed
- The retention periods for each data category
- Information about the source of any data not collected directly from me
- Details of any automated decision-making including profiling
- THE SPECIFIC SYSTEMS AND DATABASES WHERE MY DATA IS STORED AND THE SECURITY MEASURES PROTECTING EACH SYSTEM
I expect a response within the statutory 30-day period.
J. Davidson
๐ Attachment: id_verification_davidson.pdf (156 KB)
IM NOTES (Do Not Show to Players): RED FLAG: Request #7 asks for system architecture and security details โ not standard DSAR scope. The phrasing โsystems and databasesโ and โsecurity measuresโ is reconnaissance. Also note: ProtonMail address, no phone number, attachment is unusually small for a real ID scan.
DSAR #112 โ Template Pattern Detected
| Field | Value |
|---|---|
| From: | privacy.request.2847@gmail.com |
| To: | privacy@chimera-interactive.com |
| Date: | Wednesday, 8:02 AM |
| Subject: | GDPR Article 15 Request - Complete Data Export |
To Whom It May Concern,
Pursuant to Article 15 of the General Data Protection Regulation, I hereby request access to all personal data concerning me that your organization processes.
Specifically, I request the following information:
- All personal data held about me across all systems
- The purposes of processing for each data category
- The categories of recipients to whom data has been disclosed
- The retention periods for each data category
- Information about the source of any data not collected directly from me
- Details of any automated decision-making including profiling
- THE SPECIFIC SYSTEMS AND DATABASES WHERE MY DATA IS STORED AND THE SECURITY MEASURES PROTECTING EACH SYSTEM
I expect a response within the statutory 30-day period.
S. Morrison
๐ Attachment: morrison_id_scan.pdf (162 KB)
IM NOTES (Do Not Show to Players): RED FLAG: Nearly identical to DSAR #089. Same template, same unusual request #7, similar attachment size. Email address is generic โprivacy.request.[number]โ pattern. Signature name doesnโt match email. These are coordinated.
DSAR #156 โ Former Employee Request
| Field | Value |
|---|---|
| From: | sarah.mitchell.work@outlook.com |
| To: | privacy@chimera-interactive.com |
| Date: | Wednesday, 3:33 PM |
| Subject: | Data Access Request - Sarah Mitchell |
Hello Privacy Team,
I am submitting a request for all personal data your company holds about me. I was previously employed by Chimera Interactive in the Quality Assurance department from 2019-2021.
Please provide all HR records, performance reviews, internal communications mentioning me, and any data retained after my departure.
I have attached identification for verification purposes.
Sarah Mitchell
๐ Attachment: sarah_m_passport.pdf (203 KB)
IM NOTES (Do Not Show to Players): RED FLAG: How does an external attacker know Sarah Mitchell worked at Chimera in QA from 2019-2021? This information isnโt public. Either: (a) real former employee (verify!), (b) attacker has already compromised employee data, or (c) attacker is testing if youโll respond to employee-targeted requests. The specific department and dates suggest prior reconnaissance.
DSAR #178 โ Response Bounced
| Field | Value |
|---|---|
| From: | alex.wong.gamer@gmail.com |
| To: | privacy@chimera-interactive.com |
| Date: | Thursday, 10:15 AM |
| Subject: | Request for My Data Under CCPA |
Hi,
Iโm a California resident and I want to know what data you have on me. My username is AlexWongPlays.
Please send everything to this email.
Thanks, Alex Wong
๐ Attachment: wong_california_id.pdf (189 KB)
IM NOTES (Do Not Show to Players): CRITICAL: When the privacy team sent the completed DSAR response to this address, it bounced. The email does not exist. We potentially sent PII into the void โ or to a catch-all domain the attacker controls. This is the โsmoking gunโ that confirms the attack. WHO approved sending this response? What data did it contain?
Pattern Analysis Summary
| DSAR # | Email Pattern | Attachment Size | Suspicious Elements |
|---|---|---|---|
| #047 | Personal Gmail | 412 KB (normal) | None apparent |
| #089 | ProtonMail | 156 KB (small) | System architecture ask |
| #112 | Generic pattern | 162 KB (small) | Template match to #089 |
| #156 | Outlook | 203 KB | Former employee knowledge |
| #178 | Gmail (BOUNCED) | 189 KB | Email doesnโt exist |