SecurityTrails Blog · Nov 27 · by Sara Jelen

Top 5 Ways to Handle a Data Breach

Reading time: 10 minutes

With data breaches occurring regularly, people have become desensitized to them. This isn't good, since the protection of data has never been more important. Not only are business required to announce that a data breach has occured, they are also obligated to pay fines due to regulations in accordance with GDPR.

The seriousness of data breaches has cost some companies their entire business, and the predictions don't look good: according to reports from Teramind, 231,354 data records are lost or stolen in a 60-minute period.

What is a data breach?

A data breach is a security incident of unauthorized release of private and sensitive information. The most frequent scenario is when a cybercriminal infiltrates a database and compromises sensitive data, whether it's just merely that data or copying, transmitting or using it in any way. Data breaches can expose personal information, financial information such as credit card numbers from individuals and corporate secrets, their software codes, customers and even intellectual property, as in the major Sony breach.

After a data breach, losses may result from an attacker impersonating someone from the targeted network and his gaining access to otherwise secure networks. If regulatory compliances are violated, the organization suffering the data breach can face legal fines.

Why do data breaches happen?

Data breaches can happen for a number of reasons; targeted attacks can lead to the compromise of identity, money theft, or it can even happen accidentally. Unfortunately, data breaches are mostly performed by cybercriminals. In a classic example, an attacker gains access to a corporate or organization's private network where he can steal data from employees, or even go further and steal sensitive data from the organization's database — containing information about customers, manufacturers, product development secrets, etc. A big issue with these kinds of breaches is that the attack and infiltration into the network can go undetected for long periods of time. Sometimes, they never get detected.

Common reasons for a data breach are:

  • Weak passwords — This one's a no-brainer. Insecure passwords are the easiest way a hacker can gain unauthorized access to a protected network. In a report published by Verizon, brute force attacks are listed as one of the top 5 causes of data breach.
  • Human error and process failure — Besides weak passwords that can be considered human errors (with some individuals even insisting on them), this deserves to be a dedicated category. Human errors can include the loss or theft of paperwork or unencrypted hardware devices, sharing account details, or sending data via email or fax to an incorrect recipient. Human error is cited as the top cause of data breaches.
  • Unfixed, old system vulnerabilities — Out-of-date software and unfixed system vulnerabilities can allow attackers to infect networks with malware. Even if infosec professionals have been documenting these vulnerabilities for years now, sorting them into CVEs, we regularly see these exploited vulnerabilities compromised long after they are published.
  • Malware — Hackers can use phishing tactics to trick users into downloading malware via email. It can also happen when a user has connected to a public wireless network to capture your credentials. Many hackers modify malware when they are targeting different organizations, making them undetectable by antivirus programs.
  • Attacks that target (smaller) business partners — Attackers can go to smaller companies that are business partners to target and obtain a larger company's sensitive data. Smaller companies can have fewer levels of security and are easier to infiltrate. This also happens when partners don't maintain the same level of security and don't enforce policies with third-party suppliers.
Data Breach wordcloud

How to recover after a data breach

Data breaches are a constant threat for all organizations, and no matter how many policies, strategies or defenses there are, sooner or later a skilled attacker will be able to compromise them. The effects of a data breach for a business can be detrimental; reports cite that 60 percent of small firms go out of business within 6 months after a data breach.

It's important to stay protected and do everything possible to prevent data breaches, but even if they don't work, there's no need to panic. Recovering from a data breach and returning to business is entirely possible, so having a recovery plan is of crucial importance. Every organization has their own recovery plan. Here are some steps that should always be included:

1. Stop the breach

Once an organization notices a breach, it's important to contain the breach as quickly as possible. Time is of the essence.

The ways in which an organization will contain the breach depends on the nature of the attack and the system(s) affected. You should start by isolating any system(s) accessed by the attacker so you can prevent the breach from spreading to the entire network. Disconnecting breached user accounts, if that was the attacker's method can help, as can shutting down a specific department that was targeted. Having a complex security infrastructure containing multiple layers can help you locate and isolate the attack much more quickly and efficiently.

Once it's been contained, it's important to eliminate the threat to prevent any further damage. Again, methods for eradication of the attack vary depending on the type of attack itself; it can be done by reformatting the affected assets and restoring them, or blacklisting an IP address from where the attack originated.

2. Assess the damage

Once the attack has been stopped and eliminated, the next step is to investigate it and assess the damage it has caused to the organization.

Knowing how the attack happened is needed to prevent future attackers from the same tactics and succeeding. Also, it's important to investigate the affected systems so that any malware possibly left by the attacker can be detected.

During the assessment, information that should be dug up includes:

  • What was the attack vector?
  • Was the attack based on social-engineering tactics or through user accounts?
  • How sensitive is the breached data?
  • What is the type of that data affected?
  • Does the data contain high-risk information?
  • Was the data encrypted and can it be restored (did the company backup their data)?

3. Notify those affected

While investigating the data breach, organizations are able to discover all those who were affected, and those that could be.

After the investigation, the next step is to notify authorities, third-party organizations and any individuals who might be affected. Since regulations govern the time frame in which the breach needs to be reported, it's always best to do it as soon as possible. The notification can be distributed via email, mass email, phone calls or any other mediums of communication you typically use with the affected parties.

In the notification, organizations need to cite the date of the breach, what was compromised and what the recipient can do for protection from any further damage. This also allows the organization to maintain its integrity and save its reputation, combatting the backlash that always accompanies data breaches.

4. Security audit

After taking the first steps in recovering from a data breach, a security audit is needed to assess the organization's current security systems and to help with preparation for future recovery plans.

Reports cite that 60 percent of small firms go out of business within 6 months after a data breach.

A lot of organizations think their IT security is sufficient, but nobody can really claim that before performing an actual security audit. Security audits should be performed regularly, regardless of whether or not there was a data breach, but there are differences between a post-data breach audit and a routine audit. An audit after a data breach or similar event needs to analyze the situation and all systems so that a proposition for implementing new fixes and policies can be provided. As for a security audit routine that companies should enforce, a DNS Audit will help secure the entire infrastructure and system administration, since an outdated DNS server can enlarge the attack surface. Also, checking the surface area of a company is important due to that data being often overlooked, but as it's publicly available, attackers are most likely to exploit the information they find about internal infrastructure and external internet surface of a company. Examining network and server systems, IP blocks, open ports, rDNS records and certificates a company has will provide you with a complete audit of data that is already exposed online and that malicious attackers can access easily. Using SurfaceBrowser, a passive intelligence tool, will allow you to any detail related to any company.

5. Update your recovery plan to prepare for future attacks


After an attack and taking all the appropriate steps for recovery, the importance of preparing for the next attack can't be stressed enough. After being attacked once, the possibilities that you will be attacked again are substantial; it's possible that the same attacker or group of attackers will try it again since they've already succeeded, or other groups will use the same or similar methods.

The security audit and internal investigation are valuable. The information uncovered will help guide you toward your future recovery plan and any vulnerabilities that may be lurking.

The new recovery plan may include new privacy policies, security training for all employees, enforcing agreed policies with third-party businesses and more. But one thing every organization needs to do is work on educating their employees in some of the finer points of cybersecurity since, as we mentioned, human error is one of the most frequent reasons a data breach occurs.

Top 10 ways to protect your company against a data breach

As reports suggest, 4 out of 5 data breaches are caused by human or process error. For this reason it's important to avoid any harmful areas of negligence that can lead to breaches. Here are 10 ways to keep your company safe:

1. Train your employees

Train your employees and educate them about cybersecurity. Routine security and privacy training is advisable.

2. Protect the data

All sensitive data should be protected, regardless of whether that data is used or not. Even when disposing of storage, the data it contains should be shredded for additional protection.

3. Enforce strong passwords

Back to the passwords — enforce using strong passwords company-wide and schedule password changes at least every 6 months.

Safety fence

Safeguarding your company against data breaches is more important than ever.

4. Monitor data and its transfer

Monitoring and tracking the transfer of data through the company will prevent the data from being misused or exploited.

5. Limit access

Limit the access to certain systems by people who are not connected to the department, and make sure that sensitive data is handled only by relevant professionals.

6. Patch vulnerabilities

Out-of-date software and unattended vulnerabilities are often the vector of data breaches and should be patched in a timely matter.

7. Encrypt devices and data

Organizations should never allow devices or data that are not encrypted, as they're more prone and vulnerable to attacks.

8. Two-factor authentication

Adding this additional layer of security will provide greater protection than using only password authentication.

9. Limit downloading

Restricting downloadable media will prevent the transferring of sensitive data to external devices.

10. Breach recovery plan

Responding to a breach needs to be fast and efficient. And having a strong breach recovery plan will minimize the damages a data breach can bring.


Even if we're getting slowly desensitized to stories about big data breaches and information leakage, the privacy of our private and sensitive data should be important to all of us. Enforcing the right procedures and recovery plans can help immensely. And while no system is proven to protect you 100% from all attacks, we all have to start somewhere, right?

SecurityTrails offers features that will allow you to monitor your company domains, all associated domains, SSL certificates and many more — with custom solutions that will bump up your security architecture! Interested in what SecurityTrails API is capable of? Contact us for more information or sign up for your API today.

Sara Jelen Blog Author

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders