What to do when you discover a data breach

What to do when you discover a data breach

Your cell phone goes off in the middle of your well-deserved sleep and you try to find it before your partner wakes up as well.

“What could be wrong? Why would they page me in the middle of the night?”

More asleep than awake, you stumble down the stairs and call the number on the screen, which you already recognize as the one in use by the chief of the night shift. When you ask why you were called, he tells you it’s because you are part of the data breach incident response team.

Couldn’t it wait until morning?

The chief doesn’t know, that’s above his pay grade. You are the one who gets to decide whether it’s urgent enough to wake up the entire response team, so you’d better hurry over there.

On scene, one of the IT staff shows you two files on a server that shouldn’t be there. They are called sql.zip and mimikatz. The hairs on the back of your neck stand up in reflex. Without further investigation, you have to assume that a database was zipped and transferred to an unauthorized machine and that someone got their hands on some passwords, or at least tried to retrieve them.

Your company has been breached.

You’ve been breached: now what?

The first point of attention is to figure out which type of information was stolen. So, you try to open the zip in an attempt to get a better idea about the content. Alas, the file is password protected, so you give up none the wiser.

The next item on your to-do list is to find out how the threat actors got in and how to keep them out. Since that is not your field of expertise, you ping the next person on your list.

You decide that it is of no use to assemble the rest of the team until you know more. Even though you have customers in every imaginable time zone, the rest of the research will have to wait until you can get ahold of the firm you contracted for forensic investigations.

While waiting for the night to pass, you prepare a press statement and, together with the system administrator, you prepare a preliminary report for the proper law enforcement authorities.

Be prepared

Data breaches do happen, as has been demonstrated over and over. We wish we could give you a fool-proof method to prevent them, but since such a thing doesn’t exist, the next best steps to take are:

  • To limit the possibilities of breaches happening again
  • To protect any sensitive data that could be stolen
  • To limit the usefulness of the stored data for a thief (e.g. by encrypting the data)
  • To be prepared for another eventual data breach

Our main character was fairly prepared, better than most organizations are in reality, I’m afraid. Having a detailed response plan enables security teams to reduce stress and makes sure that they don’t skip any steps. Without a script to follow, important steps could be forgotten or urgent tasks could be delayed while less compelling work is completed.

The steps outlined in our story are not necessarily right for every use case or organization, but they demonstrate that it helps if everyone knows who to contact, how to get in touch, and how to proceed in the face of an obstacle. A big part of setting up such a plan is to make sure that you follow obligations dictated by law and customer agreements.

Dealing with data breaches

How an organization manages a data breach is of the utmost importance. Going about it in the wrong way can break a company, while being open, transparent, and honest about it with the public can ultimately even improve customer trust.

It is imperative to figure out how the breach happened—not only to prevent it from happening again, but also to inform the public. Not knowing what happened means that it can happen again at any given time, since you will not have discovered which precautions were rendered useless, and which actually stopped the attack from doing further damage.


Our main character did some preliminary investigation but ultimately had to give up and wait for other professionals. It is advisable to hire an outside consultancy to help you with investigations if your internal team does not have the skills. They offer a professional viewpoint that is not too close to the target.

Inside eyes are sometimes troubled by near-vision or may be reluctant to point out the true cause. Hiring an outside consultancy also improves the public’s view of your organization, as they see you have gone through the trouble and cost of trying to keep their data safe.

Informing the public

Before you inform the public, it makes sense to get the full picture about what, exactly, was stolen. You don’t want to cause a panic over a couple emails discussing Friday night plans.

But don’t wait too long, or that could backfire. Sometimes it’s better to give out a quick statement and let the public know that you are investigating the matter further. If they somehow find out before you have issued a statement, that will make your organization look like it has something to hide.

What customers want to know:

  • Which data were stolen? And was I affected?
  • Can the stolen data easy lead back to a person? Is it personal information?
  • What do I need to do if I was affected? Is it a matter of simply changing a password or do I need to worry about identity theft?

What the press wants to know:

The press will have some extra questions, which usually boil down to:

  • How did it happen?
  • What are you going to do to prevent it from happening again?

Be open about all of the above, unless you haven’t been able to close the hole in your defenses. It may help other organizations and it will highlight your transparency. It might also help law enforcement with their investigation. Even when the damage is already done, you will still want the threat actors to be brought to justice, if possible.

General advice on data breaches

Of course, we hope you’ll never need these tips but many have wished they would have thought of them beforehand:

  • Be prepared. Make sure everyone knows who to inform and those involved know how to act. An emergency plan will never be a perfect fit, but it should at least outline the order and importance of actions.
  • Don’t run the risk of legal implications to add to your burden. Know what your obligations are and fulfill them.
  • Be open and transparent about what happened and what was stolen.
  • Hire outside specialists to assist in your investigations.
  • Learn from the incident to prevent a retake.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.