You’ve Been Breached. What Should You Do Now?

‍

If you're reading this, odds are your company has just discovered a data breach. First off: take a breath. It's stressful, it's disruptive, and it always seems to happen late on a Friday and your weekend is now shot.

But don't panic. Let’s walk through what to do next—step by step, with clarity, professionalism, and a bit of real talk.

Step 1: Hands Off the Evidence

Think of your network like a crime scene. What’s the first thing detectives say? “Don’t touch anything.”

That means:

• Don’t reboot affected systems
• Don’t wipe logs
• Don’t restore from backup just yet
• Don’t factory reset your way out of it

Preserve everything.

Forensic investigators need access to an untouched environment to determine:

• How the breach occurred
• What data was exposed
• Whether the attacker is still active

Here’s something we need to say delicately:

In PCI-related breaches especially, the consequences can be severe—fines, penalties, reputational damage. That pressure can trigger a very human reaction: "Let’s just quietly fix this before anyone notices." We get it. But resist that urge.

Intentionally hiding or destroying evidence can backfire catastrophically. Investigators can often tell when logs have been tampered with or deleted, and when they do, the resulting adverse inference can be far more damaging than the original error. In short, the cover-up costs more than the breach. You didn’t intentionally allow a breach to happen. This happened to you, but it is important to maintain transparency so that this can be fixed permanently and so you do not have to go through this again in 6 months. 

Full transparency helps:

• Pinpoint the true root cause, including any vulnerabilities that may have been in a blind spot
• Prevent repeat incidents
• Protect your credibility with acquirers and card brands

Start documenting immediately:

• When did you first notice the breach?
• How did you discover it?
• What actions were taken and by whom?

This documentation will help investigators, legal counsel, and your own leadership understand the timeline and response.

Step 2: Stop the Bleeding (Calmly)

Once you’ve preserved the evidence, it’s time to contain the damage.

That might mean:

• Taking affected systems offline
• Disabling compromised user accounts
• Temporarily isolating segments of your network

You don’t necessarily need to unplug your entire business from the internet, but you do need to stop the bleeding.

Also: control the internal narrative. Avoid blasting out an all-staff email saying, “We’ve been hacked.” Keep the circle small until you’ve engaged the right experts and developed a coordinated response.

Step 3: Call in the Pros

Unless you have certified, experienced incident responders on staff, now is the time to bring in experts.

If cardholder data is involved, your payment processor may require you to engage a PCI Forensic Investigator (PFI). These firms are certified to:

• Identify how the breach occurred
• Determine the scope of compromised data
• Provide reports to card brands, banks, and legal counsel

In addition to a forensic firm, you should also:

• Notify your acquiring bank or processor
• Inform your cyber insurance provider (if applicable)
• Engage legal counsel to help manage regulatory obligations
• Consider notifying law enforcement (especially if the breach is criminal in nature)

Avoid DIY investigations unless you have the credentials, tools, and objectivity to do it right.

Step 4: Own the Narrative

Once you understand the scope of the breach, it’s time to inform the public. You don’t need to hold a press conference, but you do need to control the message.

Be proactive, not reactive. Prepare a clear, factual statement addressing:

• What happened
• What data was affected (if any)
• What you're doing to fix it
• What affected parties can expect next

Be transparent, but don’t speculate. Saying too much too soon can create more confusion than clarity. Get your facts straight before speaking.

Done right, this moment can build trust, not destroy it.

Step 5: Learn, Fix, and Fortify

Once the fire is out, don't just rebuild—rebuild smarter.

Key takeaways:

• Update or create your incident response plan
• Conduct a postmortem with key stakeholders
• Train your team to avoid the same mistakes (yes, even the ones who "never click links")
• Strengthen compliance with frameworks like PCI DSS, HIPAA, or HITRUST
• Invest in ongoing monitoring, logging, and vulnerability scanning

In Closing

A breach doesn’t have to be the end of the world—or your business. How you respond matters more than what happened.

So take a breath. Take the right steps. And take control of your story.

Oh—and next time, schedule your breach for a Monday. (Just kidding. Mostly.)

‍