The Anatomy of a Post-Breach Response
A data breach is not just a security incident — it is a governance failure, a regulatory event, and a trust crisis, all occurring simultaneously. Organisations that respond effectively are those that have prepared for this moment before it happens, and those that treat the incident not just as a crisis to manage but as a catalyst for fundamental improvement.
This article draws on our experience supporting organisations through post-breach recovery, including our work with Odido following their 2024 security incident. It covers the immediate response requirements, the forensic analysis process, and the strategic changes required to build a genuinely resilient data posture.
The First 72 Hours: Regulatory and Operational Priorities
GDPR Article 33 requires that personal data breaches be reported to the relevant supervisory authority within 72 hours of becoming aware of the breach — unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. This 72-hour clock starts from the moment the organisation becomes aware of the breach, not from when the breach occurred.
In practice, the 72-hour window is extremely tight, and organisations that have not prepared their incident response processes in advance frequently struggle to meet it. The key actions in the first 72 hours are:
Containment: Isolate affected systems to prevent further data exfiltration. This may involve taking systems offline, revoking access credentials, or blocking specific network paths. The containment actions need to be carefully documented, as they will be scrutinised in the subsequent investigation.
Initial Scope Assessment: Determine, to the best of your current knowledge, what data was affected, how many individuals are impacted, and what the likely consequences are. This assessment does not need to be complete at the 72-hour mark — the supervisory authority notification can be submitted with the information available, with a commitment to provide further details.
Supervisory Authority Notification: Submit the initial notification to your lead supervisory authority. The notification should cover: the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address the breach.
Internal Communication: Ensure that senior leadership, legal, communications, and relevant operational teams are informed and aligned on the response strategy. Inconsistent internal communications are a significant risk in the aftermath of a breach.
The Forensic Investigation: What You Need to Know
The forensic investigation that follows a breach serves two purposes: understanding what happened (to prevent recurrence) and documenting what happened (for regulatory and legal purposes). These purposes sometimes create tension — the most thorough forensic investigation may also produce the most detailed documentation of your security failures.
Scope of the Investigation: A comprehensive post-breach forensic investigation should cover: the initial attack vector (how the attacker gained access), the lateral movement path (how the attacker moved through your systems), the data accessed or exfiltrated (what data was affected and for how long), and the detection gap (how long the breach went undetected).
Data Impact Analysis: The most challenging aspect of the forensic investigation is often the data impact analysis — determining exactly what personal data was accessed or exfiltrated. This requires detailed data lineage information, access logs, and in many cases, forensic analysis of attacker behaviour. Organisations with mature data governance and lineage capabilities can complete this analysis significantly faster than those without.
Evidence Preservation: All forensic evidence must be preserved in a legally admissible format. This includes system logs, network traffic captures, and access records. Evidence preservation needs to be balanced against the operational need to restore affected systems.
Building a Resilient Post-Breach Data Strategy
The organisations that emerge from a data breach in a stronger position are those that use the incident as a catalyst for fundamental improvements in their data governance and security posture. Based on our post-breach work, the key strategic changes are:
Data Minimisation: Breaches are less damaging when organisations hold less personal data. A post-breach review should include a comprehensive data minimisation exercise — identifying and deleting personal data that is no longer necessary for its original purpose. This reduces both the risk of future breaches and the regulatory exposure from the current one.
Data Classification and Tagging: Implementing automated data classification — identifying and tagging personal data, sensitive data, and regulated data across your entire data estate — provides the foundation for targeted security controls and faster impact analysis in future incidents.
Access Control Rationalisation: Post-breach investigations frequently reveal that access controls were more permissive than necessary — users and systems had access to data they did not need for their legitimate purposes. A post-breach access control review should implement the principle of least privilege across all data systems.
Monitoring and Detection: Many breaches go undetected for weeks or months. Implementing comprehensive security monitoring — covering data access patterns, unusual data exfiltration, and anomalous user behaviour — is essential for reducing the detection gap.
Incident Response Planning: The organisations that respond most effectively to breaches are those that have tested their incident response plans before an incident occurs. Tabletop exercises, simulated breach scenarios, and regular plan reviews are essential investments.
The Regulatory Aftermath
Following a significant breach, organisations should expect ongoing regulatory engagement that extends well beyond the initial notification. Supervisory authorities typically conduct follow-up investigations to assess the adequacy of the organisation's response and the measures taken to prevent recurrence.
The organisations that navigate this regulatory engagement most effectively are those that can demonstrate: a thorough understanding of what happened and why, a comprehensive remediation plan with clear milestones, and evidence that the remediation is being implemented effectively. Organisations that appear to be minimising the incident or delaying remediation consistently receive more severe regulatory outcomes.