How to Respond to a Data Breach

What Is a Data Breach?

A data breach is a cyber incident in which information is accessed and extracted from an organization’s system without authorization. Stolen data could be confidential, proprietary, protected, or sensitive—such as credit card numbers, Social Security numbers, healthcare data, other personal information, trade secrets, and customer lists.

The effects of a data breach can be disastrous for an organization. Damage can be significant in terms of costs and fines as well as reputationally. The cost of a data breach can be substantial, estimated at between $3 and 4 million per breach on average for a major corporation, with some experts claiming the costs can be as high as $8 million. 

Quickly and effectively responding to a breach is critical for limiting harm.

What to Do If You’ve Been Breached

A breach may go undetected for some time—ransomware, for example, can lay dormant for months, waiting on a timer to be included in backup data so that a simple restore won’t be enough to defeat the attack. If you’ve discovered your organization’s network has been breached, you will need to take immediate action to secure your systems, fix the vulnerabilities, and take remedial steps to mitigate the situation.

Steps to Take after a Data Breach

1. Secure

Your first task in the event of a breach is to seal the security hole. This will prevent further breaches via the same route. Then investigate the causes.

  • Secure any physical areas associated with the breach. For instance, if there was a physical break-in, change the door access codes as soon as possible. 
  • Take all affected systems offline immediately, but don’t turn them off until forensic experts can investigate them.
  • Build an Incident Response team. Your team could include experts from a range of disciplines. You may need to hire an independent forensics investigator and involve legal, information security, and even human resources. Professional Incident Response specialists can provide essential expertise.
  • Capture a forensic image of the breach and collect evidence.
  • Consult with your legal team. A cyber breach will often have contractual and data protection law consequences, so knowing your position here is essential.
  • Replace offline machines with clean ones, if possible, but update all credentials in case these were the cause of the breach.
  • If your website has been altered, immediately remove any unwanted information and contact search engines to remove the altered pages from their caches.
  • Search other sites in case your information has been posted publicly elsewhere.
  • Interview those who discovered the breach to help track down the cause.

Throughout this process, make sure you haven’t destroyed any evidence—you will need this to pinpoint the cause of the breach, fix the problem, and ascertain the damage to remediate.

2. Fix

Once you have tracked down the origin and pathway of the breach through your systems, the next step is to remove all the vulnerabilities that led to it.

  • Were your service providers involved in the breach? If so, analyze what personal information they have access to and change their privileges if necessary.
  • Work with your service providers to ensure their security is at the level you need.
  • If your existing network segmentation did not provide the overall protection you had hoped for, consider changing how your network is segmented for greater resilience.
  • Your forensic analysis should have revealed if your intended protective measures were functional. Was encryption enabled, and were backups being performed as scheduled?
  • Once you have determined who had access to data involved in the breach, check their permissions and whether these are necessary. If not, impose measures to limit access more strictly.
  • Get ready to communicate the facts about the breach to all stakeholders, from employees to customers and investors. 

As you are fixing the problem, consider the questions that will be asked about the breach and publish answers to key questions on your website to keep the situation as transparent as possible.

3. Remediate

Fixing the cause of the breach is the most critical step for avoiding a recurrence, but there are likely to be repercussions that will require further remediation.

  • There may be legal requirements regarding the notification of cyber breaches involving personal information, which vary by country and even by US state.
  • Punitive costs may be involved with personal data loss in some jurisdictions.
  • Contact law enforcement, reporting the situation and any implications for potential identity theft. You may also need to contact local intelligence agencies, such as the FBI in the US.
  • If the breach involved health records, you might need to notify specific organizations, such as the Federal Trade Commission. You may also need to contact the media.
  • For data thefts involving financial information, contact the businesses that maintain the affected accounts, such as credit card companies.
  • Notify other affected parties, including individuals. Provide remedial services such as toll-free numbers for these parties to use for contact and free credit monitoring to track if their identity has been used nefariously.

Once you have followed these steps, you should be well on your way to preventing another breach of the same type and remediating the results of this one. For a more detailed list of specific rules regarding the notification of affected parties, see the FTC’s guide to a data breach response.

Data Breach vs. Security Breach

A security breach is when a company’s information is accessed without authorization. Typically, this incident will have resulted in unapproved access to corporate data, applications, networks, and devices. The breach occurs because the intruder has been able to bypass corporate security.

Although closely related, a data breach is subtly different from a security breach. A security breach implies unauthorized access, but a data breach means that the unauthorized access has resulted in information being extracted.

A data breach is more severe than a security breach because it typically involves the theft of confidential information, such as customer identities and financial details. This information can be sold to criminals via the dark Web. 

However, a security incident does not necessarily equate to a complete breach. A phishing attack, malware infection, or employee device theft is a security incident, but it won’t be a breach if it has been contained and doesn’t end up with the threat actors gaining access to the network and corporate data.

How Breaches Happen

There are numerous causes of a security breach. Increasingly, WFH and hybrid work are leading to more devices and employees with access to important corporate resources operating unprotected by traditional perimeter-based network security. Hybrid working has also led to more personal devices (via BYOD) being used on internal networks, as hybrid workers bring their personal equipment into the office. Both these trends widen the threat domain—and cybercriminals are taking advantage. 

However, these factors merely amplify the existing causes of a cyber breach.

Types of Data Breaches

Malicious Insider

An employee has harmful intent and uses their access to create a security breach.

Lost or Stolen Device

A device that has access or contains sensitive information is lost or stolen.

Malicious Outsiders

Threat actors employ cyberattack vectors to gain security information from systems or individuals.

Weak Endpoint Security

Malicious outsiders find vulnerable endpoints, such as unpatched devices, old software, or poor implementation of authentication protocols.

The methods used in cyberattacks include phishing, in which the attacker uses social engineering to fool users into handing over their security credentials. Threat actors use brute force attacks to guess passwords. They install malware to compromise user devices. Once they gain access to corporate systems, they can leverage that access into greater access, leading to a full data breach—usually for financial gain. 


What is a data breach?

A data breach is a cyber incident in which information is accessed and extracted from an organization’s system without authorization.

What is a security breach?

A security breach is where corporate security has been compromised, including data, applications, networks, and devices, enabling access to company-held information without authorization.

What happens when a security breach occurs?

Threat actors gain unauthorized access to corporate systems when a security breach occurs. This can lead to the theft of sensitive corporate data, either to make it public to damage the company or for financial gain via sale on the dark Web.

Who is legally responsible for a breach?

In the case of a data breach, the data owner is legally responsible and faces liabilities for any losses incurred due to the breach, even if security failures were caused by a third party (such as a cloud provider). In the US, liability is imposed if the data owner has failed to implement sufficient safeguards, remediate damage after a breach occurs, or notify affected individuals and organizations within the time limit set for the local region. Negligence is proven in litigation.

When must a breach be reported?

The reporting time for a cyber breach varies by US state, from “without reasonable delay” to within 30 or 45 days of the breach discovery. In Europe, the limit is 72 hours according to GDPR law.

What is the best first step you should take if you suspect a data breach has occurred?

If you suspect a data breach has occurred, the first step is to isolate the affected systems from the network. Don’t turn them off or disable these systems, as you will want to allow your forensic team to analyze the breach. But disconnecting them will prevent further extraction of data. This should be closely followed by notifying affected parties within the limits defined by local jurisdictions once the extent of the breach has been ascertained via your forensic expert team.

Whether you're under cyberattack, need to contain a breach, or want to develop an incident response plan, BlackBerry Cybersecurity Services can help. Report an incident or call us now at +1-888-808-3119.