Handout D: Slack Thread #privacy-team

This thread captures the privacy team’s communications over the past 3 days.

---

Tuesday, February 4th

Jamie Chen 9:47 AM

Heads up team — we got 47 new DSARs overnight. That’s… unusual. Anyone know if there was some news story about us?

Morgan Torres 9:52 AM

Weird. I’ll check social media, maybe someone did a thread about data privacy in gaming again

Jamie Chen 10:15 AM

Can’t find anything obvious. Let’s just power through them. We’ve got 30 days.

Alex Reyes 2:30 PM

Up to 89 now. Some of these requests are… detailed. One is asking for “the specific systems and databases where my data is stored.” Do we even include that?

Morgan Torres 2:34 PM

I mean, technically they have a right to know how their data is processed? Check with legal but I think we have to answer that

---

Wednesday, February 5th

Jamie Chen 8:15 AM

156 total now. This is not normal. I’m starting to get nervous.

Morgan Torres 8:22 AM

Legal is breathing down my neck about response times. We CANNOT miss the 30-day window.

Alex Reyes 11:45 AM

I’ve been comparing some of these requests. A bunch of them have almost identical phrasing? Like copy-paste with different names.

Jamie Chen 11:48 AM

Probably a template from some privacy rights website. People share those.

Alex Reyes 11:52 AM

Maybe… but some of the ID documents look weird too. Small file sizes, like they were generated not scanned?

Morgan Torres 11:55 AM

Alex Reyes we don’t have time to scrutinize every document. If it looks like an ID, process the request. We’re drowning here.

Jamie Chen 3:30 PM

Got a weird one — DSAR for a former QA employee. How would someone external know those employment details??

Morgan Torres 3:33 PM

LinkedIn? Maybe she listed it? Just process it, we’ll verify if HR flags something

---

Thursday, February 6th

Jamie Chen 10:45 AM

We sent out 12 responses yesterday. Good progress!

Alex Reyes 11:02 AM

Uh. One of them bounced.

Jamie Chen 11:03 AM

What do you mean bounced?

Alex Reyes 11:05 AM

DSAR #178, alex.wong.gamer@gmail.com. Email doesn’t exist. We sent a full data export to… nowhere? Or somewhere?

Alex Reyes 11:06 AM

That export had their full name, address, payment info, purchase history, AND the system architecture stuff they asked for

Morgan Torres 11:08 AM

Wait what

Jamie Chen 11:10 AM

Should we… should we call security?

Morgan Torres 11:12 AM

Let me think. Let me think. OK yes, loop them in. But quietly. I don’t want to panic anyone until we know what we’re dealing with.

Alex Reyes 11:15 AM

There’s more. I’ve been looking at the other fulfilled requests. At least 3 more have that same ‘system architecture’ question. We answered all of them.

Morgan Torres 11:17 AM

Call security. Now.

---

Tuesday, February 4th

Katrine Fønsmark 09:47

Heads up team — we got 47 new DSARs overnight. That’s… unusual. Anyone know if there was some news story about us?

Birgitte Nyborg 09:52

Weird. I’ll check social media, maybe someone did a thread about data privacy in gaming again

Katrine Fønsmark 10:15

Can’t find anything obvious. Let’s just power through them. We’ve got 30 days.

Kasper Juul 14:30

Up to 89 now. Some of these requests are… detailed. One is asking for “the specific systems and databases where my data is stored.” Do we even include that?

Birgitte Nyborg 14:34

I mean, technically they have a right to know how their data is processed? Check with legal but I think we have to answer that

---

Wednesday, February 5th

Katrine Fønsmark 08:15

156 total now. This is not normal. I’m starting to get nervous.

Birgitte Nyborg 08:22

Legal is breathing down my neck about response times. We CANNOT miss the 30-day window.

Kasper Juul 11:45

I’ve been comparing some of these requests. A bunch of them have almost identical phrasing? Like copy-paste with different names.

Katrine Fønsmark 11:48

Probably a template from some privacy rights website. People share those.

Kasper Juul 11:52

Maybe… but some of the ID documents look weird too. Small file sizes, like they were generated not scanned?

Birgitte Nyborg 11:55

Kasper Juul we don’t have time to scrutinize every document. If it looks like an ID, process the request. We’re drowning here.

Katrine Fønsmark 15:30

Got a weird one — DSAR for a former QA employee. How would someone external know those employment details??

Birgitte Nyborg 15:33

LinkedIn? Maybe she listed it? Just process it, we’ll verify if HR flags something

---

Thursday, February 6th

Katrine Fønsmark 10:45

We sent out 12 responses yesterday. Good progress!

Kasper Juul 11:02

Uh. One of them bounced.

Katrine Fønsmark 11:03

What do you mean bounced?

Kasper Juul 11:05

DSAR #178, alex.weber.gamer@gmail.com. Email doesn’t exist. We sent a full data export to… nowhere? Or somewhere?

Kasper Juul 11:06

That export had their full name, address, payment info, purchase history, AND the system architecture stuff they asked for

Birgitte Nyborg 11:08

Wait what

Katrine Fønsmark 11:10

Should we… should we call security?

Birgitte Nyborg 11:12

Let me think. Let me think. OK yes, loop them in. But quietly. I don’t want to panic anyone until we know what we’re dealing with.

Kasper Juul 11:15

There’s more. I’ve been looking at the other fulfilled requests. At least 3 more have that same ‘system architecture’ question. We answered all of them.

Birgitte Nyborg 11:17

Call security. Now.

IM NOTES: Key dynamics to highlight:

• Deadline pressure overrode verification caution (“just process it” responses)
• The junior analyst noticed warning signs but was overruled by workload urgency
• Security wasn’t looped in until Day 3 — organizational silos
• The team rationalized anomalies instead of investigating them
• Nobody asked ‘could this be an attack?’ until it was too late