The Shattered Vault of Secrets
Accidental Data Exposure and Loss of UHNW Client Records
A catastrophic breach of the realm's most sacred vault has occurred — not through dark sorcery or siege, but through negligence within your own walls. A misconfigured cloud storage vessel has laid bare the personal records of your most prestigious patrons, while a misdirected enchanted scroll carrying sensitive client data has reached the hands of an unintended recipient. The Wardens of Data must act swiftly to seal the breach, notify the High Regulators, and restore the trust of those whose secrets were exposed.
Compliance Frameworks
🛡️ Roles & Party Members
War Chief Required
Incident CommanderLeads the incident response, coordinates containment and escalation, and drives decision-making across all workstreams
Warden of the Sacred Scrolls Required
Data Protection OfficerAdvises on GDPR obligations, assesses personal data impact, determines notification requirements for the ICO and affected individuals
Loremaster Required
Legal CounselAdvises on legal exposure, privilege, contractual obligations to clients, and regulatory engagement strategy
Arcane Engineer Required
IT Operations LeadProvides technical context on cloud infrastructure, assesses misconfiguration scope, implements access controls and containment measures
Keeper of the Codex Optional
Compliance OfficerAssesses FCA notification obligations, ensures adherence to internal policies, and maintains the regulatory compliance audit trail
Town Crier Optional
Communications LeadDrafts client notifications, manages media inquiries, and coordinates internal communications to staff
High Council Elder Optional
Senior ManagementProvides executive-level decision authority, approves client notifications and regulatory submissions, manages board reporting
⚡ Inject Timeline
Initial Discovery — The Unsealed Vault
T+0 MinutesIt is 09:17 UTC on a Wednesday morning. The IT Security team receives an automated alert from the cloud security posture management (CSPM) tool indicating that an Amazon S3 bucket — s3://pb-client-d...
Breach Assessment & Containment — Sealing the Broken Wards
T+15 MinutesThe Arcane Engineer has confirmed the S3 bucket has been re-secured with private access controls. However, the Data Protection Officer has completed a preliminary data mapping exercise and the results...
Regulatory Notification — Dispatching the Raven to the High Regulators
T+30 MinutesThe DPO has completed the formal breach risk assessment and concluded that the breach is likely to result in a high risk to the rights and freedoms of affected individuals. The assessment identifies t...
Individual Notification & Remediation — Restoring the Broken Trust
T+45 MinutesThe ICO notification has been submitted and the focus now shifts to the obligation under GDPR Article 34 to notify affected individuals 'without undue delay' where the breach is likely to result in a ...
📋 Debrief Questions
Post-Battle Assessment — Lessons from the Shattered Vault
- Were GDPR Article 33 and 34 obligations correctly identified and met within the required timelines? What would you do differently to ensure faster notification?
- Was the ICO notification submitted promptly using the phased approach under Art.33(4), or did the team delay seeking complete information? How did this affect the regulatory outcome?
- How effective was the data classification and cloud security governance framework? Should client personal data have been stored in an S3 bucket, and what controls should have prevented the misconfiguration?
- Were the misdirected email and the cloud misconfiguration treated as separate incidents or a combined breach? What is the correct approach and why?
- How were the rights of affected individuals protected, including their right to be informed (Art.34), right of access (Art.15), and right to lodge a complaint with a supervisory authority (Art.77)?
- Was the decision-making process around differential VIP client notification appropriate? How should the principle of non-discrimination apply to breach notifications?
- What systemic improvements — including cloud access controls, email DLP rules, change management processes, and data classification policies — should be implemented to prevent recurrence?