Breach Response Guidelines for Companies - HedgeDoc
<center> # Breach Response Guidelines for Companies *Originally published 2018-12-06 on [](* <img src="" style="width: 60%;"> So... your company just got hacked, now what? </center> --- **Lets talk about how to respond without jeopardizing your customer data and reputation even further in this critical time.** You don't want to be another Equifax, and there are some simple steps you can follow to avoid the most common pitfalls. ## Intro I'm sure this is a hectic time for you. Just just got some of the worst news an executive can get, and you're probably preparing for a PR shitstorm of epic proportions. It's important not to rush this process, because there are good and bad ways to repsond to incidents, and you want to make sure you don't shoot yourself in the foot while you're still trying to recover from the first blow. ### Phase 1: Discovery 1. Don't panic, take time to understand what happened. The worst desicions are made in haste 2. Find someone in your company who understands the technical details of the breach, and have them write up a 1 page report, explaining it at a high level in less technical terms 3. Determine exactly who is affected, and get a list of their contact info so you can follow up with high-value customers individually and alert everyone of steps they can take to secure their assets ### Phase 2: Preparation for Disclosure 1. **DO NOT SET UP A SEPARATE DOMAIN:** it's critical that the breach announcement be hosted on your primary domain, e.g. instead of Security is all about trust relationships, and your primary domain is the root of customer's trust in your company, it's where they go to find the official announcements for your business, and you don't want to set up a new domain that has no trust established yet. It makes it too easy for scammers and phishers to set up similar domains that decieve your customers into giving their personal details away. 2. **Set up a page on your primary domain that outlines the breach details** in three parts: *what happened*, *who is affected*, and *next steps*. That way customers can quickly see at a glance whether or not their information has been leaked, and what steps they can take if their information has been exposed. Ideally the page should not collect any personal info, and it should warn readers not to enter personal info into any pages that look similar. 3. **Write an email to alert your customers.** Keep in mind that no matter how carefully you write this email, thousands of phishing and scam artists will be replicating it to try and pry information from your customers. Make sure to alert people that they should not click any links in emails like this, and they definitely shouldn't type in any personal information. Instead they should visit the official domain of the company, and read the announcement online. **This email must be sent from your primary domain**, and signed with DKIM and strong SPF/DMARC settings. Do not send it from a new domain like, this can and will be easily spoofed by scammers. ### Phase 3: Disclosure TODO: Timing of disclosure and pre-emptive media coverage to reduce misinformation. ### Phase 4: Media Coverage TODO: Managing media coverage and taking responsibility without harming PR further. ### Phase 5: Post-Mortem and Prevention of Future Incidents After the media frenzy has died down, it's important to have some self reflection and collect some lessons learned from the incident. Companies can gain respect and trust from their customers by posing a blog article or newsletter piece that humbly explains what measures have been put into place to prevent future incidents like this, and what lessons have been learned from the event. ## Case Studies TODO ### Bad Incident Responses - Equifax - Mariott - The list goes on and on... ### Good Incident Responses - Cloudbleed? (initial response was iffy, but their later posts were much better)

Recent posts:

Back to top