The Inquisitor: Compliance Breach

The Inquisitor: Compliance Breach

Chimera Interactive: mid-sized game publisher, 200 employees, San Jose, California

Trojan / Social Engineering • The Inquisitor

STAKES

Regulatory compliance + Data breach liability + Operational integrity of privacy processes

HOOK

It’s Thursday morning at Chimera Interactive. Your privacy team looks exhausted. Over the past 72 hours, you’ve received over 200 Data Subject Access Requests – that’s more than you normally get in a year. Legal is demanding faster responses. The 30-day GDPR clock is ticking. But something feels wrong. Some of these requests are… strange. Jamie Chen from your privacy team just pulled you aside: ‘I think we might have a problem. A big one.’ What do you do?

PRESSURE

GDPR 30-day response deadline (Day 4 of spike) + CCPA compliance + legal demanding faster processing

FRONT • 90 minutes • Intermediate

Chimera Interactive: mid-sized game publisher, 200 employees, San Jose, California

Trojan / Social Engineering • The Inquisitor

NPCs

• Jamie Chen (Privacy Analyst): Wants to do their job correctly without getting blamed for the breach. Anxious, detail-oriented, feels guilty about shortcuts taken under pressure. Core phrase: 'I noticed something weird but I wasn't sure if I was overreacting...'
• Morgan Torres (Privacy Team Lead): Wants to meet compliance deadlines without her team getting blamed. Exhausted, defensive, prioritizes speed over caution. Core phrase: 'We don't have time to scrutinize every document. If it looks like an ID, process it.'
• Alex Reyes (Junior Privacy Analyst): Wants someone to listen to their concerns. Observant, uncertain, has noticed patterns but was overruled. Core phrase: 'I've been comparing these requests. A bunch have almost identical phrasing...'
• Sam Okafor (Security Analyst, SOC): Wants to understand why they weren't looped in earlier. Frustrated, competent, ready to help once included. Core phrase: 'We've had alerts firing for two days. Nobody told us this was connected.'

SECRETS

• Privacy team is understaffed (3 people) and siloed from the security team (5 people) — no shared channel, no shared incident process
• Under deadline pressure, the team began skipping full identity verification steps three days ago
• DSAR responses to requests that asked about 'systems and databases' were answered in full — the organization unknowingly provided its own infrastructure map

The Inquisitor: Compliance Breach

Chimera Interactive: mid-sized game publisher, 150 employees, Copenhagen, Denmark

Trojan / Social Engineering • The Inquisitor

STAKES

Regulatory compliance + Data breach liability + Operational integrity of privacy processes

HOOK

It’s Thursday morning at Chimera Interactive. Your privacy team looks exhausted. Over the past 72 hours, you’ve received over 200 Data Subject Access Requests – that’s more than you normally get in a year. Legal is demanding faster responses. The 30-day GDPR clock is ticking. But something feels wrong. Some of these requests are… strange. Katrine Fønsmark from your privacy team just pulled you aside: ‘I think we might have a problem. A big one.’ What do you do?

PRESSURE

GDPR 30-day response deadline (Day 4 of spike) + Datatilsynet oversight + legal demanding faster processing

FRONT • 90 minutes • Intermediate

Chimera Interactive: mid-sized game publisher, 150 employees, Copenhagen, Denmark

Trojan / Social Engineering • The Inquisitor

NPCs

• Katrine Fønsmark (Privacy Analyst): Wants to do their job correctly without getting blamed for the breach. Anxious, detail-oriented, feels guilty about shortcuts taken under pressure. Core phrase: 'I noticed something weird but I wasn't sure if I was overreacting...'
• Birgitte Nyborg (Privacy Team Lead): Wants to meet compliance deadlines without her team getting blamed. Exhausted, defensive, prioritizes speed over caution. Core phrase: 'We don't have time to scrutinize every document. If it looks like an ID, process it.'
• Kasper Juul (Junior Privacy Analyst): Wants someone to listen to their concerns. Observant, uncertain, has noticed patterns but was overruled. Core phrase: 'I've been comparing these requests. A bunch have almost identical phrasing...'
• Troels Hartmann (Security Analyst, SOC): Wants to understand why they weren't looped in earlier. Frustrated, competent, ready to help once included. Core phrase: 'We've had alerts firing for two days. Nobody told us this was connected.'

SECRETS

• Privacy team is understaffed (3 people) and siloed from the security team — no shared channel, no shared incident process
• Under deadline pressure, the team began skipping full identity verification steps three days ago
• DSAR responses to requests asking about 'systems and databases' were answered in full — the organization unknowingly provided its own infrastructure map

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including investigation timelines, NPC scripts, round-by-round facilitation guidance, and handout management, see:

The Inquisitor: Compliance Breach Planning Guide

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Scenario Details for IMs

Hook

“It’s Thursday morning at Chimera Interactive. Your privacy team looks exhausted. Over the past 72 hours, you’ve received over 200 Data Subject Access Requests – that’s more than you normally get in a year. Legal is demanding faster responses. The 30-day GDPR clock is ticking. But something feels wrong. Some of these requests are… strange. Jamie Chen from your privacy team just pulled you aside: ‘I think we might have a problem. A big one.’ What do you do?”

“It’s Thursday morning at Chimera Interactive. Your privacy team looks exhausted. Over the past 72 hours, you’ve received over 200 Data Subject Access Requests – that’s more than you normally get in a year. Legal is demanding faster responses. The 30-day GDPR clock is ticking. But something feels wrong. Some of these requests are… strange. Katrine Fønsmark from your privacy team just pulled you aside: ‘I think we might have a problem. A big one.’ What do you do?”

Initial Symptoms to Present:

Warning🚨 Initial Situation

• Privacy team has received 200+ DSARs in 72 hours (normal volume: ~15/week)
• Staff are exhausted and behind on responses; legal is demanding faster processing
• Some requests have unusual phrasing – asking for “systems and databases” detail
• One completed DSAR response bounced – the email address doesn’t exist

Escalation Timeline:

• Hour 1: Privacy team realizes bounced email = sent PII to invalid address
• Hour 2: Pattern analysis reveals coordinated request campaign
• Hour 3: Security discovers ongoing exfiltration (started 48 hours before DSAR spike was noticed)
• Hour 4: Executive notification required – scope unknown, breach notification decision pending

Key Discovery Paths:

Round 1: Pattern Recognition (20 minutes)

Note🔍 DSAR Pattern Analysis

• Comparing requests reveals near-identical phrasing across dozens of submissions – same template, different names
• Identity verification documents have suspiciously small file sizes (150–180 KB); real ID scans are typically 400+ KB
• Metadata on attached IDs shows creation dates within hours of submission
• A cluster of requests asks for “the specific systems and databases where my data is stored” – not standard DSAR scope

Note🔍 Former Employee Request (Clue)

One DSAR claims to be from ‘Sarah Mitchell, former QA employee 2019-2021.’ How would an external attacker know specific employment details that aren’t public?

Note🔍 Former Employee Request (Clue)

One DSAR claims insider knowledge of a specific former employee’s department and employment dates. How would an external attacker know internal HR details?

Round 2: Investigation (25 minutes)

Note🔍 Bounced Email Discovery

The response to alex.wong.gamer@gmail.com (CCPA request, California) bounced. That response contained full PII, payment data, AND a complete infrastructure map.

Note🔍 Bounced Email Discovery

The response to alex.weber.gamer@gmail.com (GDPR request from Germany) bounced. That response contained full PII, payment data, AND a complete infrastructure map.

Note🔍 Security Alert Log

Security pulls firewall logs. Unusual outbound traffic to IP 185.234.72.19 (Moldova) started 48 hours ago – BEFORE the DSAR spike was noticed. 2+ GB exfiltrated across multiple production systems.

Note🔍 Security Alert Log

Security pulls firewall logs. Unusual outbound traffic to IP 185.234.72.19 (Moldova) started 48 hours ago – BEFORE the DSAR spike was noticed. 2+ GB exfiltrated across multiple production systems.

Note🔍 Infrastructure Map Connection

Cross-referencing: the systems mentioned in DSAR responses (accounts-prod-west, analytics-prod, payment-api-v2) exactly match the exfiltration sources. The DSARs MAPPED the targets.

Note🔍 Infrastructure Map Connection

Cross-referencing: the systems mentioned in DSAR responses exactly match the exfiltration sources. The DSARs MAPPED the targets.

Important🔮 Hidden Ability Reveal (if players connect the dots)

The Inquisitor’s hidden ability activates: Reconnaissance Extraction. By asking “what systems store my data?” in DSAR requests, the attacker got you to voluntarily map your own infrastructure. The DSAR flood wasn’t just distraction – it was intelligence gathering.

Round 3: Response (20 minutes)

Note🔍 Breach Notification Decision

GDPR Art. 33 requires breach notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. CCPA requires notification to the California AG. You’re now aware.

Note🔍 Breach Notification Decision

GDPR Art. 33 requires breach notification to Datatilsynet within 72 hours of becoming aware of a personal data breach. You’re now aware.

Response Options:

• Option A: Immediate Containment – Block exfiltration IP (185.234.72.19), isolate affected systems. Super effective – stops ongoing data loss. Trade-off: may tip off attacker to rotate infrastructure.
• Option B: DSAR Triage – Pause all DSAR responses pending verification review. Moderately effective – prevents further data disclosure. Trade-off: regulatory exposure from missed deadline.
• Option C: Notification Strategy – File 72-hour breach notification to relevant supervisory authority. Required if personal data breach confirmed. Trade-off: scope unknown, notification may be incomplete.

• Option A: Immediate Containment – Block exfiltration IP (185.234.72.19), isolate affected systems. Super effective – stops ongoing data loss. Trade-off: may tip off attacker to rotate infrastructure.
• Option B: DSAR Triage – Pause all DSAR responses pending verification review. Moderately effective – prevents further data disclosure. Trade-off: regulatory exposure from missed deadline.
• Option C: Notification Strategy – File 72-hour breach notification to Datatilsynet. Required if personal data breach confirmed. Trade-off: scope unknown, notification may be incomplete.

The Inquisitor’s WEAKNESS is Cross-Functional Coordination (-3). Reward players who establish a unified incident command spanning security and compliance.

Evolution Triggers:

• If DSARs distract defenders for 48+ hours without security involvement → Coordinated Exfiltration activates
• If verification shortcuts continue → additional PII exported to attacker-controlled addresses
• If security and compliance share intelligence early → attack surface collapses; The Inquisitor’s evasion drops to near zero

Session Formats

Quick Demo (35–40 min)

• Focus: The moment of realization – bounced email reveals PII sent to attacker
• Guided Investigation: Provide DSAR #178 (bounced) and 2 suspicious samples; skip the full pattern analysis
• Pre-defined Response: Pause DSARs + loop in security + assess breach notification obligation
• Learning: Legitimate processes can be weaponized; deadline pressure degrades judgment

Lunch & Learn (75–90 min)

• Focus: Full three-phase arc – discovery, investigation, response
• Guided Investigation: Use all five DSAR samples; reveal security alert log in Round 2
• Round structure: Round 1 (20 min Discovery) → Round 2 (25 min Investigation) → Round 3 (20 min Response) → Debrief (15 min)
• Learning: Cross-functional coordination as the key defensive capability; privacy compliance as attack surface

Full Game (120–140 min)

• Focus: Open investigation with no pre-provided clues; teams determine what to examine
• Open Investigation: Full DSAR analysis, security log review, infrastructure mapping
• Creative Response: Teams develop breach containment, notification strategy, and process reform
• Learning: Deep dive on GDPR/CCPA obligations under breach conditions, organizational silo failure modes

Advanced Challenge (150–170 min)

• Focus: High-pressure, ambiguous scenario
• Complexity: Remove access to security logs until Round 3; add conflicting legal advice; executive pressure to continue DSAR processing; ambiguity about whether the breach notification clock has started
• Ethical Dilemmas: Pause DSARs (regulatory exposure) vs. continue (send more PII to attackers)? Notify now with incomplete scope vs. delay to gather more information?

Lunch & Learn Materials (75-90 min, 3 rounds)

Round 1: Discovery (20 min)

Investigation Clues:

• Clue 1 (Minute 5): “Comparing DSAR requests, you notice nearly identical phrasing across dozens of submissions. Same template, different names. Several ask for ‘the specific systems and databases where my data is stored.’”
• Clue 2 (Minute 10): “Identity verification documents have suspiciously small file sizes (150-180 KB) – real ID scans are typically 400+ KB. Metadata shows creation dates within hours of submission.”

• Clue 3 (Minute 15): One DSAR claims to be from ‘Sarah Mitchell, former QA employee 2019-2021.’ How would an external attacker know specific employment details that aren’t public?

• Clue 3 (Minute 15): One DSAR claims insider knowledge of a specific former employee’s department and employment dates. How would an external attacker know internal HR details?

Discovery Questions:

• “What patterns do you notice in these DSAR requests?”
• “What would make IT staff skip verification steps during a crunch period?”
• “The GDPR deadline is 30 days. You’re on Day 4. How does that pressure affect your decisions?”
• “Has anyone talked to the security team? Why not?”

Response Guidance:

Teams should begin questioning the legitimacy of the DSAR volume and looking for coordination patterns. If teams stall, have the privacy analyst NPC express concern about the pattern or the junior analyst NPC point out the template similarities.

Round 2: Investigation (25 min)

Investigation Clues:

• Clue 4 (Minute 25): The response to alex.wong.gamer@gmail.com (CCPA request, California) bounced. That response contained full PII, payment data, AND a complete infrastructure map.

• Clue 4 (Minute 25): The response to alex.weber.gamer@gmail.com (GDPR request from Germany) bounced. That response contained full PII, payment data, AND a complete infrastructure map.

• Clue 5 (Minute 30): Security pulls firewall logs. Unusual outbound traffic to IP 185.234.72.19 (Moldova) started 48 hours ago – BEFORE the DSAR spike was noticed. 2+ GB exfiltrated across multiple production systems.

• Clue 5 (Minute 30): Security pulls firewall logs. Unusual outbound traffic to IP 185.234.72.19 (Moldova) started 48 hours ago – BEFORE the DSAR spike was noticed. 2+ GB exfiltrated across multiple production systems.

• Clue 6 (Minute 35): Cross-referencing: the systems mentioned in DSAR responses (accounts-prod-west, analytics-prod, payment-api-v2) exactly match the exfiltration sources. The DSARs MAPPED the targets.

• Clue 6 (Minute 35): Cross-referencing: the systems mentioned in DSAR responses exactly match the exfiltration sources. The DSARs MAPPED the targets.

Investigation Questions:

• “What does the bounced email tell you about the nature of this threat?”
• “If you were the attacker, why would you ask about ‘systems and databases’ in a DSAR?”
• “The exfiltration started BEFORE the DSAR spike was noticed. What does that suggest about the attack timeline?”
• “Who owns this incident – privacy team or security team?”

Response Options:

• Option A: Immediate Containment – Block exfiltration IP (185.234.72.19), isolate affected systems.
  • Pros: Stops ongoing data loss immediately; decisive action demonstrates security leadership.
  • Cons: Business disruption; may tip off attacker to rotate infrastructure.
  • Type Effectiveness: Super effective – stops ongoing data loss.
• Option B: DSAR Triage – Pause all DSAR responses pending verification review.
  • Pros: Prevents further data disclosure via DSARs; allows systematic review of fulfilled requests.
  • Cons: Regulatory exposure from missed GDPR/CCPA deadline; legitimate data subjects delayed.
  • Type Effectiveness: Moderately effective – prevents further data disclosure.
• Option C: Notification Strategy – File 72-hour breach notification to relevant supervisory authority.
  • Pros: Fulfills regulatory obligation; demonstrates responsible governance; gets regulators aligned early.
  • Cons: Scope unknown – notification may be premature or incomplete; potential PR fallout.
  • Type Effectiveness: Required if personal data breach confirmed – which it is.

• Option A: Immediate Containment – Block exfiltration IP (185.234.72.19), isolate affected systems.
  • Pros: Stops ongoing data loss immediately; decisive action demonstrates security leadership.
  • Cons: Business disruption; may tip off attacker to rotate infrastructure.
  • Type Effectiveness: Super effective – stops ongoing data loss.
• Option B: DSAR Triage – Pause all DSAR responses pending verification review.
  • Pros: Prevents further data disclosure via DSARs; allows systematic review of fulfilled requests.
  • Cons: Regulatory exposure from missed GDPR deadline; legitimate data subjects delayed.
  • Type Effectiveness: Moderately effective – prevents further data disclosure.
• Option C: Notification Strategy – File 72-hour breach notification to Datatilsynet.
  • Pros: Fulfills regulatory obligation; demonstrates responsible governance; gets Datatilsynet aligned early.
  • Cons: Scope unknown – notification may be premature or incomplete; potential PR fallout.
  • Type Effectiveness: Required if personal data breach confirmed – which it is.

Round 3: Response (20 min)

Regulatory Pressure: GDPR Art. 33 requires breach notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. CCPA requires notification to the California AG. You’re now aware.

Regulatory Pressure: GDPR Art. 33 requires breach notification to Datatilsynet within 72 hours of becoming aware of a personal data breach. You’re now aware.

Response Questions:

• “You have 180 pending DSARs. Maybe 20% are legitimate. How do you tell the difference?”
• “Is sending PII to attackers via DSAR response a notifiable breach? Why or why not?”
• “What would you tell the supervisory authority about how this happened?”
• “What process changes would prevent this in the future?”

If Players Get Stuck:

• “What would you do with unlimited resources and no deadline pressure?”
• “If you KNEW these were fake requests, what would stop you from treating them that way?”

• NPC Jamie Chen bursts in: “I found something else…” (reveal next clue)
• NPC Morgan Torres: “Legal just called. They want a status update in 15 minutes.” (add pressure)

• NPC Katrine Fønsmark bursts in: “I found something else…” (reveal next clue)
• NPC Birgitte Nyborg: “Legal just called. They want a status update in 15 minutes.” (add pressure)

Round Transition Narratives

After Round 1 → Round 2:

The team’s initial pattern analysis has revealed the coordinated nature of the DSAR campaign. Now the bounced email discovery shifts the scenario from “suspicious compliance burden” to “active attack.” The privacy team must decide whether to loop in security – and how to handle the 200+ pending requests while investigating.

After Round 2 → Round 3:

The investigation has confirmed this is a coordinated attack: fraudulent DSARs for reconnaissance and cover, secondary payload for exfiltration. The team now faces the hardest decisions: breach notification obligations, DSAR processing pause, and coordinating a unified response across security and compliance functions.

Debrief Focus (10 min)

• Cross-functional coordination as the decisive defensive capability
• How deadline pressure degraded verification standards
• Privacy compliance obligations as an exploitable attack surface
• The organizational silo between security and compliance teams
• What process changes would prevent this attack pattern

Full Game Materials (120-140 min, 3 rounds)

TipFull Game vs. Lunch & Learn

The Full Game adds open investigation (no guided clues), creative responses (no pre-defined options), and extended rounds for deeper exploration. Use the Key Discovery Paths above as your guide for what information is available when players investigate. The Lunch & Learn clues and response options are useful as personal reference for what “good” investigation looks like.

Round 1: Discovery & Pattern Recognition (30-35 min)

“It’s Thursday morning at Chimera Interactive. Your privacy team looks exhausted. Over the past 72 hours, you’ve received over 200 Data Subject Access Requests – that’s more than you normally get in a year. Legal is demanding faster responses. The 30-day GDPR clock is ticking. But something feels wrong. Some of these requests are… strange. Jamie Chen from your privacy team just pulled you aside: ‘I think we might have a problem. A big one.’ What do you do?”

“It’s Thursday morning at Chimera Interactive. Your privacy team looks exhausted. Over the past 72 hours, you’ve received over 200 Data Subject Access Requests – that’s more than you normally get in a year. Legal is demanding faster responses. The 30-day GDPR clock is ticking. But something feels wrong. Some of these requests are… strange. Katrine Fønsmark from your privacy team just pulled you aside: ‘I think we might have a problem. A big one.’ What do you do?”

Players investigate openly using their role capabilities. Key discoveries available include the DSAR template patterns, suspicious ID document sizes, the “systems and databases” question in multiple requests, and the former employee knowledge anomaly.

If team stalls: NPC Alex Reyes approaches the team: “I’ve been comparing these requests. A bunch have almost identical phrasing… and the ID documents look weird too. Small file sizes, like they were generated not scanned?”

If team stalls: NPC Kasper Juul approaches the team: “I’ve been comparing these requests. A bunch have almost identical phrasing… and the ID documents look weird too. Small file sizes, like they were generated not scanned?”

Facilitation questions:

• “What patterns do you notice in these DSAR requests?”
• “The GDPR deadline is 30 days. You’re on Day 4. How does that pressure affect your decisions?”
• “Has anyone talked to the security team about this volume spike? Why not?”

Round 1→2 Transition

The team’s pattern analysis shifts the situation from “compliance burden” to “potential attack.” The bounced email discovery in Round 2 will confirm suspicions. The privacy team must now decide how to handle the 200+ pending requests while investigating.

Round 2: Investigation & Escalation (35-40 min)

NPC Alex Reyes rushes in: “DSAR #178 – the email bounced. We sent a full data export to… nowhere? Or somewhere? That export had their full name, address, payment info, AND the system architecture stuff they asked for.”

NPC Kasper Juul rushes in: “DSAR #178 – the email bounced. We sent a full data export to… nowhere? Or somewhere? That export had their full name, address, payment info, AND the system architecture stuff they asked for.”

Players investigate the full scope of the breach. Key discoveries available include the exfiltration traffic to Moldova, the correlation between DSAR responses and exfiltration targets, and the secondary payload that started before the DSAR spike.

Facilitation questions:

• “What does the bounced email tell you about the nature of this threat?”
• “If you were the attacker, why would you ask about ‘systems and databases’ in a DSAR?”
• “The exfiltration started BEFORE the DSAR spike was noticed. What does that suggest about the attack timeline?”
• “Who owns this incident – privacy team or security team?”

Round 2→3 Transition

The investigation has confirmed a coordinated attack. The team must now make critical response decisions: contain the exfiltration, pause DSAR processing, notify regulators, and coordinate across organizational silos.

Round 3: Response & Recovery (35-40 min)

Regulatory pressure: GDPR Art. 33 requires breach notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. CCPA requires notification to the California AG. You’re now aware.

Regulatory pressure: GDPR Art. 33 requires breach notification to Datatilsynet within 72 hours of becoming aware of a personal data breach. You’re now aware.

Facilitation questions:

• “You have 180 pending DSARs. Maybe 20% are legitimate. How do you tell the difference?”
• “Is sending PII to attackers via DSAR response a notifiable breach? Why or why not?”
• “What would you tell the supervisory authority about how this happened?”
• “What process changes would prevent this in the future?”

Victory conditions:

• Team establishes unified incident command across security and compliance
• Exfiltration IP blocked and affected systems isolated
• DSAR processing paused with a plan to verify legitimate requests
• Breach notification strategy developed with appropriate regulatory bodies
• Organizational process reform initiated to prevent siloed response

Handouts for Players

Print or share these handouts with players during the session. Each opens as a standalone page with print-friendly formatting. IM notes are visible on screen but hidden when printing.

• Handout A: DSAR Request Samples — Five DSAR samples for pattern analysis (1 legitimate, 4 suspicious)
• Handout B: DSAR Response Export — The accidentally sent data export from DSAR #178 (the “smoking gun”)
• Handout C: Security Alert Log — 72 hours of SOC alerts showing escalating exfiltration
• Handout D: Privacy Team Slack Thread — Three days of team communications showing organizational dynamics

Debrief Questions

1. Technical: What would have caught this attack earlier?
2. Process: How would you change your DSAR verification process after today?
3. Organizational: What organizational silo broke first in this scenario? Would that happen at your organization?
4. Compliance: The attacker used your compliance obligations against you. How do you defend against that?
5. Ethical: Is sending PII to attackers via a DSAR response a notifiable breach? Why or why not?
6. Prevention: What long-term controls are most effective against this type of attack?
7. Reflection: What was the hardest decision you had to make, and why?

Community Contribution

This scenario was created by Inver (privacy lawyer, TTRPG publisher), based on real attack patterns observed in privacy practice.

Contributor: Inver (privacy lawyer, TTRPG publisher) Contribution Date: 2026-02-10 License: CC-BY-SA-4.0