Data Breach Response and Investigation: 7 Steps for Efficient Remediation


A data breach is one of the biggest threats to an organization. It can harm an organization’s reputation and entail huge financial losses. According to the Cost of a Data Breach Report 2020 by IBM [PDF], the average cost of a data breach is estimated at $3.86 million. Thus, preventing data breaches and investigating them in a timely manner are among the most sensitive pain points when it comes to an organization’s cybersecurity.


In this article, we describe seven steps of how to investigate a data breach and explain what to pay special attention to during data breach investigation and remediation.


What is a data breach?


A data breach is an event that results in exposing confidential, sensitive, or other protected information to an unauthorized person. Breaches of confidential information can lead to financial losses, legal liability, and reputational damage through media coverage and publicity. That’s why if a data breach has occurred, it’s necessary to take action to mitigate its consequences and conduct a security incident investigation.


cost of a data breach


Investigation is an integral part of a data breach response. Its goal is to clarify the circumstances of the breach, assess the damage caused by it, and develop a further plan of action depending on the results of the investigation.


It’s important to begin investigations as soon as possible in order to respond to potential risks and limit access to leaked information before it’s too late. There are a number of cyber incident response guides that provide detailed recommendations on handling security incidents:



Below, we outline seven steps based on the recommendations in these guides.


7 steps for responding to and investigating a data breach


Although the reasons behind a data breach may vary, there’s a set of steps you need to take when responding to and investigating such a cybersecurity incident. Let’s take a closer look at this data breach investigation checklist.


7 steps for data breach response and investigation


Depending on the industry you operate in and the requirements you need to comply with, the order of steps may vary, and some steps may be omitted or added.


1. Detect the data breach


All tips for investigating a data breach begin with incident detection. This step is aimed at determining the fact that a data breach has occured. You can confirm this by inspecting the signs of a data breach.


In the Computer Security Incident Handling Guide, NIST distinguishes two types of data breach signs: precursors and indicators.


A precursor is a sign that an incident may occur in the future. It can be:


  • Web server logs indicating a search for vulnerabilities in an organization’s network
  • Discovery of a vulnerability that affects the organization’s network
  • An announcement by a hacker group that they intend to attack the organization


In general, precursors are rare and mostly help organizations to stay vigilant.


An indicator is a direct sign that an incident may have occurred or is occurring right now. Common examples of data breach indicators include:


  • Buffer overflow attempts against a database server
  • Multiple failed login attempts from an unfamiliar remote system
  • Bounced emails with suspicious content


MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) can also be of great help. This is a structured knowledge base of known attacker behavior, divided into tactics and techniques and expressed in tables (matrices). The MITRE ATT&CK model for threat mitigation provides a comprehensive view of attackers’ behavior and is extremely useful for data protection, monitoring, and employee training.


Read also: How Can MITRE ATT&CK Help You Mitigate Cyber Attacks?


2. Take urgent incident response actions


There are a number of urgent steps you should take when a data breach is detected. The first thing among data breach investigation tips is to record the date and time of detection as well as all information known about the incident at the moment.


Then, the person who discovered a breach must immediately report to those responsible within the organization. Access to breached information should also be restricted to stop the further spread of leaked data.


Overall, you may stick to this general checklist:


data breach response checklist


It’s also crucial to launch a thorough investigation as soon as possible so you can find the root causes of the data breach.


3. Gather evidence


Collecting and checking all evidence related to the data breach is another step in a list of data breach response best practices. Make sure to gather data from all your cybersecurity tools, servers, and network devices and to collect information from your employees during interviews.


First and foremost, act quickly and gather as much information about the data breach as you can. The better your understanding of the situation, the better your chances of minimizing the consequences.


The list of data you should collect includes:


  • The date and time the data breach was detected
  • The date and time a response to the data breach began
  • Who discovered the breach, who reported it, and who else knows about it
  • What was stolen and how
  • A description of all events related to the incident 
  • Information about all contacts involved in the breach
  • Identification of the systems affected by the incident
  • Information on the extent and type of damage caused by the incident


Read also: Portrait of Malicious Insiders: Types, Characteristics, and Indicators

4. Analyze the data breach


Once you’ve gathered as much information about the incident as you can, you need to analyze it. This step is aimed at determining the circumstances of the incident. In addition, you may have to answer a series of questions that will further assist in the investigation:


  • Was any suspicious traffic detected?
  • Did the attacker have privileged access to data?
  • How long has the data been compromised?
  • Were people or special software involved in the data breach?
  • Was the data breach intentional and were outside attackers involved?


Having carefully analyzed information on the data breach, you can draw some conclusions about the source of the breach to effectively stop it.


Read also: How to Calculate the Cost of a Data Breach


5. Take containment, eradication, and recovery measures


It’s also important to take actions to prevent the data breach from spreading. This can be accomplished with three сountermeasures:


data breach countermeasures


Let’s see how each of these measures can help you effectively mitigate the consequences of a data breach.


Containment measures


The goal of these measures is not only to isolate compromised computers and servers but to prevent the destruction of evidence that can help investigate the incident.


Conduct a comprehensive data breach containment operation and preserve all evidence, being careful you don’t destroy it. For example, if a data breach is caused by malware, it may not create files on disk but may place itself entirely in RAM because it’s harder to detect this way. Therefore, it’s unacceptable to power off the computer, as all the information contained in RAM will be lost.


Also, monitor the attacker’s activities and determine whether any data is leaking during the investigation.


Eradication measures


Next, it’s important to eliminate all causes that led to the data breach. For example, if the breach occurred as a result of an insider threat, security specialists should disable all accounts that leaked information. If the threat was external, such as malware, it may be necessary to clean up the affected system and patch exploited vulnerabilities.


Recovery measures


After a successful eradication step, it’s necessary for the organization to return to normal operations. This includes putting the affected systems back into a fully operational state, installing patches, changing passwords, etc.


Security specialists should carefully monitor the network, recovered computers, and servers to ensure that the threat has been fully removed.


6. Notify related parties


Regardless of whether you’re legally obliged to do so, you should notify all affected organizations and individuals as well as law enforcement. Timely notification is a very important data breach investigation procedure as it will enable individuals to take measures to protect lost data, such as changing passwords, or at least to be careful in case scammers take advantage of the data breach.


The list of those to be notified will vary depending on the type of compromised data and may include:


  • Employees 
  • Customers 
  • Investors 
  • Business partners
  • Regulators
  • And others


Pay particular attention to notice periods. They depend on the regulations and standards you need to comply with and the type of data affected (personal data, financial data, etc.). Failure to notify regulators in a timely manner could result in liability and extensive fines:



  • The General Data Protection Regulation (GDPR) requires data supervisors to notify the appropriate supervisory authorities no later than 72 hours after discovering a data breach. The GDPR sets a maximum fine of €20 million or 4 percent of annual worldwide turnover (whichever is greater) for a data breach.




Many other countries also have laws and regulations regarding the use and unauthorized disclosure of personal data. If your organization operates in more than one country, you should consider the local data breach legislation and include its requirements when creating an incident response plan.


Read also: What Is a HIPAA Violation? Fines and Penalties for Failed HIPAA Compliance


7. Conduct post-incident activities


Once you’ve taken basic actions to counter the data breach, it’s time to analyze the incident and its consequences and take steps to prevent similar issues in the future. Every data breach should be thoroughly audited afterwards. The specifics of each audit depend on the data breach itself and its causes.


In general, an audit may include:


  • Reviewing the organization’s cybersecurity systems
  • Analyzing causes of the data breach
  • Creating a plan to prevent similar incidents in the future
  • Reviewing policies and procedures to reflect lessons learned from the data breach
  • Improving cybersecurity awareness among employees


By thoroughly implementing these steps, you can get a better understanding of the data breach that occured, discover its true causes, and determine the best pathway for mitigating its consequences.


Respond to data breaches with Ekran System


It’s extremely difficult to investigate a data breach and restore the full picture of what happened without detailed context. As a robust Windows, Linux, and Citrix session recording solution, Ekran System can effectively help you in investigating a data breach.


By deploying Ekran System, you’ll get a full-cycle insider risk management platform that allows you to:


  • Perform comprehensive user activity monitoring by collecting information about login and logoff times, requests to access sensitive assets, visited websites, keystrokes, etc.




  • Use Ekran System’s robust built-in reporting tools to speed up and simplify the auditing process


Also, Ekran System can help you comply with requirements of various acts, standards, and regulations such as NIST, HIPAA, PCI DSS, GDPR, and FISMA.


Learn more about Ekran System’s tools for security investigation




Data breaches carry significant risks and can incur significant losses, so the sooner you deal with them, the better. Proper investigation will help you identify the extent of an incident and take measures to mitigate it in order to minimize the risks.


It’s best to have a set of measures prepared to respond to data breaches, such as an incident response plan and a pre-assembled response team. Coordinated actions and a consistent approach can significantly speed up the process of recovering after a breach.


Ekran System offers a rich set of features for data breach investigation and mitigation. Request a trial version of the platform to enhance your data breach protection.