Download MacKeeper Research Policy

Do you want to be our security writer? Send your guest post to

What to do when a Data Breach happened

What to do when a Data Breach happened - A Step-By-Step Guide

Back to blog

You might think your company isn’t a target for a security attack. However, Kromtech Security Research Center’s recent findings show that all businesses are now at risk.

The major issue is that data leaks can happen to any business. Recently, Ride Hauling Service exposed the information of nearly 1 million customers and thousands of drivers. The NFL Association exposed players’ and agents’ personal data, and a Tax Refund company leaked nearly half a million customer records, including credit card details and passport scans.

Providing data security is a tough job, that’s why we constantly research data breach possibilities and provide companies with detailed instructions on how to prevent them. Tools like S3 Inspector may help you prevent leaks from Amazon S3 buckets.

Types of information in data leaks:

The main issue we try to solve here is: Companies fail to react and communicate properly to security breaches and are reluctant to take responsibility for them. When a company is hacked,  poor communication is the cause of many problems to the company’s reputation and media presence.

Proper breach management is one of the main aspects of a company’s security maturity. It is based on a proactive, risk-based approach and aims at handling possible data breach consequences quickly and efficiently.

Let's check the tried-and-tested steps to maintain your company’s security.

Below you can find our recommendations based on security best practices and compliance requirements. Following them will ensure that your company’s’ reputation, money, and customers are safe.  

1. Initial contact

If you find out about a security breach from an external source, immediately report this information to the security committee.


Tip: Don't try to hide the breach or delay a public notice (e.g., Equifax, Uber). However tempting stonewalling may seem, your business will suffer when the knowledge of a concealed breach goes public. Instead, when company management takes immediate responsibility, it minimizes media manipulations, squelches rumors, and mitigates a bad reputation.

Here’s a short list of companies that have made this mistake:

2. Internal review.

Organize a security committee meeting to discuss the issue. The committee should include the company’s CTO, CISO, IT-lead, and Legal representative. Treat each notice seriously and validate it before taking any further steps.


Tip: The security team needs to evaluate the possible risks and estimate any losses if the reported information is correct. This allows the committee to share responsibility and make proper decisions during the early stages.


3. Contact the source of your information

Next, the security committee contacts the person(s) who reported the security breach for more details about the incident. Contact law enforcement if this is a ransom or blackmail incident.


Tip: Try to get as much detailed information as possible:

  • Ask for the source’s IP Address to make sure the source was the only one to access the breach details

  • Ask the source to sign an NDA

  • Ask the source to destroy all collected data and provide written evidence of that

  • Ask the source to provide all communication logs of the affected server (if any)


4. Validate and investigate 

Once the leak is confirmed, assign a point person with the proper authority to handle this incident, starting with log analysis.


Tip:   The goal of log analysis is to understand:

  • When and how the leak happened

  • Which system leaked the information

  • When it was first accessed

  • What data was dumped by third parties

  • The timeline of data exposure

  • Who accessed the exposed data


5. Stop further leaks 

Once the leak is validated and investigated, the next step is to prevent further data leaks.


Tip: Check best practices for configuring your infrastructure including the following:

  • Enabling authentication

  • Whitelisting access to your stations

  • Enabling and enriching access logs


6. Set up crisis communication 

Arrange a meeting with all necessary departments to compose a company message: Legal, Finance, PR, Executive, Marketing, and the Board of Directors.


Tip: One person should not be responsible for writing this type of message; the team must involve representatives of all key departments.

7. Make a public announcement 

Next, release the announcement containing the incident details. Both affected and unaffected clients should also receive a personal, written notice to stop misinformation spreading.


Tip: This is the most important part of handling the crisis, as everyone will judge your company by the tone of the message. Be professional and include all relevant details; otherwise,  your company may suffer damage to its reputation along with the security breach.

Also, inform your customers what has been done to resolve this incident. Move beyond a single notice. Keep customers updated about further steps. Check out the good and bad examples of public notice communications compiled by Troy Hunt in this article. Here’s a good example:

8. Provide technical control 

Use best practices to keep your client’s security protected. 


Tip: Take any possible action to make the customer’s life easier. In case of customer password breaches , do not ask affected users to reset passwords, do it for them! Another good practice is to provide a credit freeze to those users whose payment details have been leaked.

9. Conduct a retrospective analysis 

Use the breach to strengthen the company’s data security. 


Tip: It’s important that any employee(s) deemed responsible for the breach are not terminated as a result of the incident. Instead, provide an opportunity for them to help correct the problem and be involved in the solution.

10. Make improvements 
Change your workflow, reassess risks, and implement IT service management. 


Tip: Changing workflow and risks assessment is never easy. This framework can help improve cybersecurity processes in your company: cybersecurity framework.


Stick to this rule of thumb: a proactive approach is always better than a reactive one. Even a company with incomplete incident response strategies will do better than one without any strategy.  

Data breaches are a serious issue no company wants to experience. In summary, remember to let all the affected parties know about the data breach within a reasonable amount of time, and always provide full transparency while doing your best to protect your clients from any further risks.  


Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact:


You may also like