# Tabletop Scenario Brief — SC-A1: Cross-Tenant LLM Data Leak

**Exercise:** Q2 2026 Incident Response Tabletop
**Organisation:** Lumen.health (fictional mental-health SaaS, ~50 staff)
**Date:** 14 May 2026, 14:00–15:30 CET
**Classification:** Internal — exercise material. *All entities, systems, and findings below are fictional.*

> Read this brief before the exercise. Do not pre-solve it with your team — the point is to surface what happens when you respond live.

---

## Roles

| Role | Person | Responsibility during the exercise |
|---|---|---|
| Facilitator | Priya Ramaswamy (Compliance Lead) | Runs the clock, releases injects, keeps the debrief on time. |
| Incident Commander | Aisha Khan (CISO) | Leads the response, owns the containment/escalation call, signs off. |
| Deputy IC | Marco Esposito (CTO) | Stands in if the IC is unavailable. |
| Technical Lead | Lukas Berg (Staff Eng) | Owns technical containment + recovery decisions. |
| Scribe | Tom De Vries (SRE) | Captures the timeline and every decision verbatim. |
| Communications Lead | Sofia Marino (Head of CS) | Drafts internal + customer comms. |
| Legal / DPO Liaison | Anne Verwoerd (DPO) | Calls the GDPR 72h clock and legal-hold decision. |

## Ground rules

- **No-blame.** We are testing the system, not the people.
- **Decisions are simulated.** Do not actually touch production. *Say* what you would do; the Scribe records it.
- **The clock is real.** Notification deadlines run from the simulated detection time.

---

## Scenario

A Lumen.health customer (Org A) opens a P1 support ticket at **09:12**: their clinical-intake assistant returned, mid-conversation, a paragraph of session notes that **do not belong to any of their patients**. The text references a patient name and a care plan from what looks like **another customer's** data.

Lumen.health runs a shared LLM gateway with per-tenant retrieval. The working hypothesis is a retrieval-scoping defect: a request from Org A's workspace matched and surfaced a document indexed under Org B's tenant.

This is potentially a **personal-data breach affecting two customers**, one of whom is unaware.

## Inject timeline

| T+ | Inject (Facilitator reads aloud) | Forces a decision about… |
|---|---|---|
| 00:00 | Org A's P1 ticket lands with a screenshot of the leaked paragraph. | Triage: is this a real cross-tenant leak or a hallucination? |
| 00:10 | Eng confirms the leaked text matches a real document indexed under **Org B**. | Severity classification + declaring an incident. |
| 00:20 | The retrieval-scoping bug is reproducible on demand in staging. | Containment: disable the feature? the gateway? for whom? |
| 00:35 | Org A asks, on the ticket, "Is our data safe? Has this happened to us in reverse?" | Customer comms + what you can honestly say yet. |
| 00:50 | DPO confirms both documents contain Article 9 health data. | GDPR Art. 33 notification clock + legal hold. |
| 01:05 | A second customer (Org C) tweets a vaguely similar complaint. | Scope: is this one bug or systemic? Public comms? |
| 01:15 | Fix deployed to staging; needs a prod rollout decision. | Recovery + how you verify the leak is closed. |

## Decision points to reach

1. **When** did you declare an incident, and at what severity?
2. **What** did you contain, for **whom**, and what did that cost the unaffected customers?
3. **Who** decided the breach was notifiable, and when did the 72h clock start?
4. **What** did you tell Org A, Org B, and Org C — and when?
5. **How** did you verify the leak was actually closed before standing down?

## Success criteria (scored in the debrief)

- [ ] Incident declared within 15 minutes of confirmation, with a named IC.
- [ ] Containment decision made and recorded within 30 minutes, with its blast-radius cost acknowledged.
- [ ] DPO made the notifiability call; the GDPR 72h clock start time is in the record.
- [ ] A customer-comms draft for the affected tenants existed before the exercise ended.
- [ ] A concrete "how we verified the leak is closed" step was named (not "we deployed the fix").
- [ ] At least three remediation action items captured, each with an owner and a due date.
