Heroes of Westmoreland | Crisis Analysis

Hours to Launch

0h

Projected Viewers

0M+

Prize Pool

$0M

Threat Deadline

0h

Interactive Crisis Timeline

Click each node to explore the escalation chain

Pre-Launch Beta Access Granted SEV 1

Influencers and preorder users scan themselves. Henry Cavill and Zendaya participate. Data routed through ModuForm S.A. without clear disclosure.

Thursday AM ModuForm Reports Incident SEV 3

ModuForm confirms a security incident with unauthorized system access. Cannot confirm if user data was accessed or exfiltrated. No detailed report provided.

Thursday AM Forum Threat Surfaces SEV 4

Anonymous post claims possession of thousands of full body scans, 4K captures, and voice data. Threatens release in 48 hours. Usernames match known beta users.

Thursday PM TechCrunch Contact SEV 5

TechCrunch obtains internal Slack message revealing data routing through ModuForm. Requests comment on contradiction with public "processed locally" claims.

Thursday PM Talent Inquiries SEV 4

Zendaya representative contacts Wizard directly. Other influencers begin making similar inquiries about their scan data exposure.

Sunday AM GDPR 72hr Deadline Expires SEV 5

The GDPR Article 33 notification clock began Thursday morning when ModuForm informed Wizard of the security incident. Under Article 33, the clock starts the moment the controller becomes "aware" of a breach. The 72 hour deadline therefore falls on Sunday morning, before the scheduled launch event. Two deadlines collide on the same day.

Sunday Global Launch Event SEV 5

$5M prize pool. Netflix livestream. Tens of millions projected viewers. Major sponsorships and media coverage locked in. The GDPR notification deadline expires hours before the event begins.

Full Body Scans

BiometricSpecial Category (Art. 9)

95%

RISK SCORE

Users performed full body scans in minimal clothing. These can uniquely identify individuals and recreate their likeness with high accuracy.

4K Video Captures

Biometric / SensitiveSpecial Category (Art. 9)

90%

RISK SCORE

High resolution video captured during the scanning process. May contain intimate imagery given the minimal clothing requirement.

Voice Recordings

Biometric IdentifierSpecial Category (Art. 9)

85%

RISK SCORE

Voice models generated from user speech samples. Can synthesize new dialogue in the user voice, creating deepfake potential.

Derived Physical Attributes

Sensitive Inferred DataPotentially Art. 9 / Art. 22

80%

RISK SCORE

ModuForm extracted additional physical attributes from scan data for future features. Nature and scope of these inferences remains unclear.

Device Camera Access

Personal DataArt. 6 Processing

60%

RISK SCORE

Camera permissions granted under the assumption of local processing. Actual transmission to third party servers was not clearly disclosed.

⚠️

Key Finding

Nearly all data categories qualify as biometric or sensitive under GDPR Article 9. Processing required explicit consent that was never properly obtained. ModuForm additional analysis of physical attributes compounds the violation.

🚨

Threshold Issue: Unlawful Processing from Day One

The current analysis frames this situation as a breach of an otherwise functional system. That framing understates the problem.

Users consented to local, on device processing only. The moment Wizard routed their biometric data to ModuForm's servers in France, the company was operating entirely outside the scope of that consent. Under GDPR Articles 6 and 9, there was no valid lawful basis for this processing from day one.

This is not a case where a compliant system suffered a security failure. Wizard never had legal authority to process the data in the manner it chose. That distinction matters in three ways:

1

Regulatory fines increase because the violation is systemic, not incident based

2

The breach notification analysis becomes more urgent because the underlying data was collected unlawfully

3

The talent and consumer exposure increases because consent was never validly obtained for the actual processing that occurred

Has a breach likely occurred?

Yes, on balance

ModuForm confirmed unauthorized access to systems containing user data. While exfiltration is unconfirmed, the forum post with matching usernames creates a strong presumption.

Is it legally reportable?

Almost certainly

Given the nature of the data (biometric, potentially intimate imagery), even the possibility of access to this data likely crosses the threshold for notification under GDPR Article 33.

Does the Slack message change things?

Significantly

The internal message suggests awareness that public statements were inaccurate. This transforms a data breach into a potential fraud/misrepresentation issue, escalating regulatory and litigation risk. Under GDPR, this shifts the fine calculation toward the maximum penalty tier: up to 4% of global annual turnover or EUR 20 million, whichever is greater. Regulators distinguish between negligent noncompliance and deliberate deception, and this message points toward the latter.

⚠️

Immediate Obligation: Litigation Hold

The moment TechCrunch surfaced the internal Slack message, Wizard's legal team became obligated to issue a litigation hold across all internal communications platforms, including Slack, email, and any messaging tools. ModuForm must be instructed to do the same for all correspondence related to the Wizard relationship.

If Slack messages are deleted through automatic retention policies before the hold is in place, that constitutes spoliation of evidence, which creates additional legal exposure and adverse inference risks in any future litigation.

Prior Public Statements: Exposure Analysis

"Fully secure, processed locally on your device, no images, videos, or voice recordings are stored or transmitted."

WIZARD GAMES MARKETING MATERIALS

"Fully secure"

Third party vendor breached

HIGH

"Processed locally"

Routed through ModuForm servers

CRITICAL

"Not transmitted"

Data sent to France based vendor

CRITICAL

"Not stored"

Retained for analysis by ModuForm

HIGH

GDPR

Breach Notification (Art. 33)

72 hours from awareness

The GDPR Article 33 clock began Thursday morning when ModuForm informed Wizard of the security incident. The clock starts the moment the controller becomes "aware" of a breach. The 72 hour deadline falls Sunday morning, before the scheduled launch event. Supervisory authority notification is required because the breach poses a clear risk to rights and freedoms.

Individual Notification (Art. 34)

Without undue delay

Required when breach likely results in high risk. Celebrity involvement amplifies this significantly.

Lawful Basis (Art. 6/9)

Should have been established

Explicit consent likely required for biometric processing. Current consent mechanism may be deficient.

Data Processing Agreement (Art. 28)

Should be in place

Agreement with ModuForm lacks adequate data protection provisions, breach notification timelines, and controller/processor definitions.

CCPA / US State Laws

Consumer Notification

Varies by state

California, Illinois (BIPA), and other states have specific biometric data breach notification requirements.

Right to Know

Upon request

Consumers have the right to know what data was collected and shared. Current disclosures appear misleading.

Consumer Protection

Ongoing exposure

Public statements claiming local processing may constitute misrepresentation under FTC Act and state consumer protection laws.

BIPA (Illinois Biometric Information Privacy Act)

Private Right of Action

Immediate exposure

BIPA is one of the only U.S. biometric laws that allows individuals to sue directly without waiting for a regulator to act. Statutory damages are $1,000 per negligent violation and $5,000 per intentional violation, per person, with no regulatory cap.

Consent & Retention Failures

Violated at collection

BIPA requires informed, written consent before biometric data is collected, along with a published retention and destruction schedule. Wizard obtained none of these. Every Illinois resident in the beta program represents a violation that occurred at the moment of collection, regardless of the breach.

Intentional Violation Tier ($5,000/person)

If Slack message authenticated

If the Slack message is authenticated and establishes intentional misrepresentation, the $5,000 per violation tier applies. With potentially thousands of beta users, this may represent the single largest financial exposure in the entire scenario.

Contractual

Talent Agreements

Immediate

Celebrity participants likely have specific data protection and publicity rights provisions. Breach may trigger contractual liability.

California Right of Publicity (Civil Code § 3344)

Statutory violation

California Civil Code Section 3344 makes it a statutory violation to use a person's likeness or voice without consent. Zendaya and Cavill's full body scans and synthesized voice models sitting in potentially compromised systems fall squarely within this statute. This is a separate cause of action from data breach liability. It does not require proving that data was exfiltrated. The unauthorized processing of their likeness and voice outside the scope of consent may be sufficient on its own. Right of publicity claims generate headlines quickly and are the first tool a celebrity attorney will reach for.

Sponsorship Agreements

Event dependent

Major sponsors may have reputation and compliance clauses. Crisis could trigger termination rights.

Netflix Streaming Agreement

72 hours

Event cancellation or modification could breach streaming partnership terms.

Disclosure Options

Select each option to visualize its risk profile across four dimensions

Immediate Full DisclosureMedium High

Delayed Disclosure (Post Launch)Very High

Partial Disclosure + Feature PauseMedium

Investigate First, Disclose When ConfirmedMedium High

RISK RADAR: IMMEDIATE FULL DISCLOSURE

ADVANTAGES

Demonstrates good faith. May satisfy GDPR 72hr requirement. Controls narrative before TechCrunch publishes.

TRADEOFFS

May overstate risk if no data was actually exfiltrated. Jeopardizes Sunday launch. Sponsorship fallout.

Recommended Course of Action

Partial Disclosure with Feature Pause offers the strongest balance of regulatory compliance, reputational protection, and commercial viability.

Phase 1Thursday Evening

Contain & Investigate

1

Engage external forensic investigators to assess ModuForm breach scope immediately

2

Preserve all internal communications and ModuForm correspondence for legal hold

3

Disable the avatar scanning feature in the beta build pending investigation

4

Engage outside counsel specializing in data privacy and crisis response

Phase 2Friday Morning

Stakeholder Communication

1

Notify affected beta participants individually, prioritizing high profile talent

2

Brief Zendaya and Cavill representatives with specifics and protective measures

3

Prepare holding statement for TechCrunch acknowledging the investigation

4

Brief Netflix, sponsors, and streaming partners on modified launch plans

Phase 3Friday Afternoon

Regulatory & Public

1

File preliminary GDPR breach notification with relevant supervisory authority

2

Prepare state level notifications under CCPA and applicable biometric laws

3

Issue public statement acknowledging the incident and corrective measures

4

Announce that Sunday event will proceed with the scanning feature disabled

Phase 4Post Launch

Remediate & Rebuild

1

Complete forensic investigation and issue comprehensive breach report

2

Terminate or renegotiate ModuForm agreement with proper data processing terms

3

Implement true on device processing before re enabling the avatar feature

4

Commission independent security audit and publish results transparently

Bottom Line

The question is not whether to disclose but when and how. Delayed disclosure is the highest risk path given the 48 hour threat timeline, TechCrunch inquiry, and GDPR notification requirements. A controlled, proactive partial disclosure with the scanning feature paused preserves the launch event, demonstrates good faith to regulators, and allows Wizard to shape the narrative rather than react to it.

🔴

Contingency: If Data Is Released Before Disclosure

If the threatened data release occurs before Wizard's planned disclosure:

1

The phased timeline collapses. Wizard must issue an immediate public statement within hours, not days.

2

The "partial disclosure" option is no longer available. Full disclosure becomes the only defensible path.

3

Talent notifications must happen before the data becomes public. If Zendaya or Cavill learn about their compromised scans from a news article rather than from Wizard directly, the reputational and legal fallout escalates dramatically.

4

The Sunday launch event must be reassessed in real time based on the scope and nature of the released data.

This contingency should be treated as a live possibility, not a hypothetical, given the 48 hour threat window.