A data breach is a security incident in which sensitive information is accessed, disclosed, or stolen without authorization. Whether you’re an individual whose personal data was exposed in a third-party breach, a small business owner dealing with a compromised system, or an IT professional managing incident response, the steps you take in the first hours determine how much damage is contained. This guide covers response procedures for both personal and organizational breaches.
For Individuals: Responding to a Personal Data Breach
Step 1: Verify the Breach
Before taking action, confirm the breach is real. Sources of legitimate breach notifications:
- Have I Been Pwned (haveibeenpwned.com) — checks if your email appears in known breach databases
- Official company notification via email or postal mail
- Major news coverage of a specific company breach
Be skeptical of breach notifications that arrive via email asking you to click a link — these are often phishing attempts. Instead of clicking, navigate directly to the company’s official website and check their security announcements.
Step 2: Understand What Was Exposed
Breach notifications should specify what data was compromised. Common categories:
- Email and password hash — moderate risk; change passwords
- Plaintext password — high risk; change password everywhere it was used
- Credit card numbers — contact your bank immediately
- SSN/SIN — high identity theft risk; consider credit freeze
- Health information — potential HIPAA (US) notification obligations
Step 3: Change Compromised Credentials
If your password was exposed:
- Change the password on the affected service immediately
- If you reused that password anywhere else, change it on all those services (this is why password reuse is dangerous)
- Generate a unique strong password (use a password manager like Bitwarden or 1Password)
- Enable two-factor authentication (preferably FIDO2 hardware key or TOTP, not SMS)
Priority order for password changes: Email accounts first (they’re used for password resets everywhere else), then banking, then everything else.
Step 4: Enable Credit Monitoring or Freeze
If SSN, SIN, date of birth, or address was exposed:
Credit freeze (most protective): Prevents new credit accounts from being opened in your name. Free in the US, Canada, and UK. Contact each bureau separately:
- Equifax: equifax.com/personal/credit-report-services/free-credit-freeze/
- Experian: experian.com/freeze/center.html
- TransUnion: transunion.com/credit-freeze
Credit monitoring: Services like Credit Karma alert you to new accounts, hard inquiries, and score changes. Useful for ongoing awareness but doesn’t prevent new accounts.
Step 5: Watch for Follow-On Attacks
Breached data often appears in follow-on attacks weeks or months later:
- Credential stuffing: Automated login attempts using the compromised credentials against other services
- Spear phishing: Attackers who bought your data may use personal details to craft convincing phishing emails
- SIM swapping: If your phone number was exposed, attackers may attempt to port your number to get SMS 2FA codes
Be extra vigilant about unexpected login attempts, password reset requests, and unusual account activity.
For Organizations: Incident Response Procedure
Phase 1: Detection and Initial Assessment (0–1 hour)
Declare an incident: Notify the IR team (or whoever handles security incidents). Don’t investigate alone — escalate immediately.
Preserve evidence: Before doing anything else, capture:
- System logs (network, endpoint, application, authentication)
- Active network connections (netstat output)
- Running processes list (ps aux, tasklist)
- Memory image if possible (before powering off or rebooting)
Do NOT:
- Power off systems immediately (destroys volatile memory evidence)
- Run antivirus scans (may destroy evidence)
- Delete suspicious files
- Notify the public before you understand the scope
Phase 2: Containment (1–4 hours)
Short-term containment: Isolate affected systems from the network without shutting them down. This stops active exfiltration while preserving evidence.
# Isolate a Linux system at the network level (while keeping it running)
# Remove default route (cuts internet access)
ip route del default
# Block all outbound connections except to your IR team's IP
iptables -P OUTPUT DROP
iptables -A OUTPUT -d 192.168.1.10 -j ACCEPT # IR team's IPCredential containment: Disable or reset compromised accounts, revoke API keys, and rotate secrets that may have been accessed.
Identify patient zero: Determine the initial entry point. Check authentication logs for the earliest sign of unauthorized access — often days or weeks before the breach was detected.
Phase 3: Eradication (4–48 hours)
Identify and remove all attacker footholds:
- Persistence mechanisms: Check scheduled tasks, cron jobs, service installations, registry Run keys, new user accounts, and authorized SSH keys
- Lateral movement: Trace where else the attacker moved within your network (authentication logs across systems)
- Malware removal: Identify all malicious files, scripts, and processes
- Rebuild compromised systems: For critical systems, rebuild from known-good backups or clean installs rather than trying to clean in-place
Phase 4: Recovery (48 hours – weeks)
Restore systems from backups: Verify backups are clean (taken before the breach) before restoring. Restoring from a backup that was taken after compromise re-infects the system.
Strengthen controls: Implement changes that would have prevented the breach:
- Patch the exploited vulnerability
- Enforce MFA on the compromised accounts
- Segment networks to limit lateral movement
Monitor intensely: For 30–90 days post-incident, increase logging and monitoring for signs of persistent access you may have missed.
Phase 5: Notification and Legal Obligations
Most jurisdictions require breach notification within specific timeframes:
| Regulation | Jurisdiction | Notification Timeline |
|---|---|---|
| GDPR | EU/EEA | 72 hours (to regulator) |
| CCPA | California | ”Expedient manner” |
| HIPAA | US Healthcare | 60 days (60-day safe harbor) |
| PIPEDA | Canada | ”As soon as feasible” |
| Australia Privacy Act | Australia | 30 days |
Notification content should include: what happened, what data was affected, what you’re doing about it, and what affected individuals should do.
Consult a breach response attorney before sending notifications — improper notifications can increase legal liability.
Phase 6: Post-Incident Review (1–2 weeks after resolution)
Conduct a blameless post-mortem:
- Root cause analysis: What vulnerability or failure allowed the breach?
- Timeline reconstruction: When did the attacker enter? How long were they present? What did they access?
- Lessons learned: What controls should be added? What gaps in detection existed?
- Metrics: Time to detect, time to contain, data volume exfiltrated, recovery cost
Document everything and track remediation items to completion.
Useful Incident Response Tools
- Velociraptor — open-source DFIR platform for forensic collection at scale
- TheHive — open-source security incident response platform
- MISP — threat intelligence platform for sharing indicators of compromise
- Autopsy — open-source digital forensics platform
- GRR Rapid Response — live forensics platform developed by Google
Preparation is the most important part of incident response — having playbooks, contact lists, and tools ready before an incident dramatically reduces response time and damage. A data breach at 2 AM is not the time to figure out who to call.