HomeGuidesWhat to do after a security Breach

    What to do after a security Breach

    Published on

    Vulnerability and Risk assessments can help you identify remediations to avoid security breaches and minimize the damage of incidents. At some point, however, an incident is due to happen, and you must have a plan of action ready for such an event. “Hope for the best and prepare for the worst” should be every security expert’s mantra when it comes to incident response and disaster recovery. Before enacting these two states across your group, there are, however, a few actions to keep in mind that can facilitate business continuity and disaster recovery while putting a first patch to potential damage.

    You’ve been hacked!

    According to ENISA, “Data breach is an intentional attack brought by a cybercriminal to gain unauthorized access and the release of sensitive, confidential or protected data”. According to the same source, in 2022, “about 82% of breaches

    involve a human element and no less than 60% of the breaches […] include a

    social engineering component”. These statistics show the importance of human behavior inside the mechanics that lead a vulnerability to become a breach. Being prepared to respond in such cases can prevent further damage from being taken, as panic exploitation is one of the many successful strategies that social engineering uses.

    In the following sections, we’ll provide you with a to-do list that can help hold back panic.

    Breach assessment

    Start by quickly summarizing infrastructure and people affected by the breach. The purpose of this action is not just to have a quick view of where the incident produced an impact but also to have a list of responsible people that should be immediately available.

    Identify whether the data breach involves data falling in one or more of these categories:

    • Personal names or legal entity names
    • Contact details (mail, phone numbers, link to webpage etc.) 
    • Financial information (credit cards, bank accounts, invoices, transaction amount, payment statements etc.)
    • Health records (medical data, drug prescriptions, health conditions, etc.)

    This information can be related to both clients and employees, so be sure to check for both of them.

    Once you have built a list of possible data affected and you are able to summarize the affected infrastructure, you should proceed to contact the responsible people identified by explaining to them what data was affected on which assets so that they have immediately a scope on the actions they have to take to contain the incident

    Which companies leaked your passwords scan and fix
    Which companies leaked your passwords scan and fix

    Contain Expansion

    If you performed the first step correctly, you should know on which infrastructure you should start to assess how the data leaked can lead to the expansion of data breaches.

    For example, if the username and password for the google ads dashboards were leaked, the data breach will soon expand to all the data inside your google ads account such as statistics and billing information. The people responsible for each affected infrastructure must quickly asses the potential expansion of the known breaches.

    While performing this step you have to keep in mind present security misconfiguration, such as the use of the same password for multiple accounts/tools. In case the Marketing team and IT team use the same password to access their mail accounts, a data breach for one team credential will son expand over the other. 

    In such a case, you must immediately address those misconfigurations so the breach does not expand. 

    Finally, keep in mind that the information leaked can indirectly help attackers expand the breach. For example, if the password for the Marketing team is “PassMarketing2020” and the password for the IT team is “PassIT2022”, anyone would be able to easily guess with three attempts or less that the password for the Logistics team is “PassLogistics2021”. In the same way, if all your users’ mail is in the format “” a breach of their contacts should be considered a breach of their names as well. In short, assessing how the information involved in the breach can lead to attackers easily obtaining further information indirectly.

    Look for evidence

    Once you are sure you managed to scope the incident and block possible dripping of breach, gathering proof is the next important step.

    The information you have to gather immediately are: 

    • Logs and event records: Reviewing log documents, machine occasion logs, and community device logs can offer valuable facts on the time and nature of the breach.
    • System Images: an image of the compromised device can serve as evidence for later analysis. To fulfill this purpose, the image of a system must be taken as quickly as possible after the breach has been assessed, as the longer the machine is in use, the more the evidence may be lost or altered.
    • Forensic Analysis: this includes network traffic that can be captured through software like Wireshark and data recovered through forensic analysis of the system with tools like Autopsy. Forensic analysis also includes user interviews. If any of your users had a direct experience with the issue and can give important insight into how the events developed, you should record their contribution.

    It’s important to remember that gathering evidence in a cyber protection breach is a time-sensible activity, meaning the longer you wait, the more likely the proof will be lost or altered. Additionally, it’s essential to follow proper proof managing techniques related to the specific type of evidence to make sure the effort made is not wasted, as tampered with or not adequately preserved evidence is not admissible in court cases.

    Contact authorities and stakeholders

    Depending on the nature and severity of the breach, local law enforcement may be the appropriate authority to contact. They can assist with the investigation and provide support and resources for dealing with the breach’s aftermath. 

    For what concerns stakeholders, remember that the purpose is not to spread panic but to help contain the breach. You should have already contacted the people who had to be involved with priority. In this phase, extend communication to internal and external stakeholders with a clear indication of which data category was breached. Consider that internal and external stakeholder might need to take actions of their own to contain the data breach so give them as detailed as possible indications on how to do so.


    If you follow the steps above, you are ready to start thinking about implementing a Business Continuity plan. The incident response must be prompt and precise, as mistakes can further the damage caused by the breach and hinder your ability to prosecute malicious actors. Have your tools prepared to contain breaches, have a list of internal and external contacts for such cases, and invest in training and preparation.

    Was your identity stolen

    Latest articles


    More articles

    MFA at risk – How new attacks are targeting the second layer of authentication 

    Multi-factor Authentication (MFA) has remained one of the most consistent security best practices for...

    The ChatGPT Breach and What It Means for Companies 

    ChatGPT, the popular AI-driven chat tool, is now the most popular app of all...

    Prompt Injections – A New Threat to Large Language Models

    Large Language Models (LLMs) have increased in popularity since late 2022 when ChatGPT appeared...