The Regex Blind Spot

The incident

It's 09:30 and an intern just dropped a screenshot in the data channel that stopped the room: a handful of rows from silver.support_tickets with full 16-digit credit-card numbers and US SSNs sitting in plain text in the notes column. The problem isn't that raw tickets contain PII - bronze is allowed to, customers paste anything into a support form. The problem is that our nightly Microsoft Presidio scan is supposed to detect and mask exactly this before it reaches silver, and for weeks it has certified this table as clean. The PII-coverage dashboard is solid green, the scan job exits 0 every night, and its report says zero findings. So the data is in silver in the clear, every automated control says there's nothing to see, and we genuinely don't know how much has leaked downstream. Compliance wants the blast radius and a fix today, before the silver table feeds the next analytics refresh at 18:00.

Symptoms on the table

• silver.support_tickets.notes contains full card numbers and SSNs in plain text
• the nightly Presidio scan reports 0 PII findings and exits 0
• the PII-coverage dashboard has been all-green for weeks
• masking is inconsistent - some batches are masked, others are completely untouched
• no alert fired - every automated control treats 'zero findings' as success

Systems on the board

The real components in play for this incident — the surface you investigate when the clock starts.

What you'll practice

This is a timed, hands-on incident in the Incident Response. You diagnose the symptom, trace it to a root cause across real components, and ship a fix before the clock runs out — the same loop you run on call, without the production blast radius.

Related topics