How to handle a data breach incident

Introduction

In this guide, you will learn how employee data can be exposed, how to check if your organization’s information appears on the dark web using NordPass, and the steps to respond and reduce future risks.

Before you start

Here's how employees' data can be exposed:

• Third-Party Breaches – A service used by employees or the company gets hacked, leaking credentials or sensitive data.
• Password Reuse – Employees using the same passwords across multiple accounts risk exposure if one is compromised.
• Weak Security Practices – Lack of multi-factor authentication (MFA), weak passwords, or poor access controls make accounts vulnerable.
• Phishing Attacks – Cybercriminals trick employees into revealing login credentials, which are then sold or misused.
• Misconfigured Systems – Publicly accessible files, unprotected databases, or insider threats can lead to data leaks.

• Before resolving the breach, we recommend following your organization’s incident response plan. If you need a reference point, click on the “NordPass’ playbook” button, located at the top-right corner of the “Dashboard” section.

   

Here's what to do

Check if your organization's data is exposed

1. Navigate to the Admin Panel for Business as an organization's owner.
2. Next, select the "Dashboard" button located on the upper-left side.
3. Here, you’ll see the data breach scanner indicating if any breaches have been detected. Click on the "View Report" button to see the breach details.
4. Click on the specific data breach report to open it, view detailed information, and see which individuals were affected.
   
   Note: If you wish to disable alerts, we recommend checking out our guide on how to disable alerts for Data Breach Scanner.

Respond when employee data is exposed

When your organization discovers that employee information has been exposed, it’s critical to respond in a structured, methodical manner.

Note: Keep in mind that this is a starting point, not a complete guide. Adapt it to your company's needs and seek expert advice as necessary.

Here are the recommended steps to resolve a data breach incident:

1. Verify the breach with the affected third-party provider:
   • Gather official information to confirm what happened.
   • Assess what information has been compromised.
   • Document key details, such as breach date, data impacted, employees affected, and other risks.
      
2. Protect employee accounts:
   • Disable affected accounts to prevent further damage.
   • Enforce password resets, strong password policies, and multi-factor authentication (MFA) usage.
   • Check if passwords are not being reused for other accounts.
   • Check Single Sign-On (SSO) integrations for unauthorized access.
      
3. Work with internal or external security teams to analyze the incident: 
   • Scan for suspicious activity, and confirm that the incident has been contained.
   • Assess whether the third-party provider still poses risks.
   • Review with employees whether no new unusual activity has been noticed.
      
4. Inform leadership, legal, and HR.
5. Provide affected employees with security instructions.
6. Coordinate with the third-party provider and notify authorities if required. Ensure public statements are fact-based and avoid speculation.
7. Maintain detailed records of actions taken:
   • Conduct a post-incident review,
   • Re-evaluate using the third-party provider,
   • Review software procurement and whether there is no more use of shadow IT.
   • Update security policies,
   • Conduct security training,
   • Strengthen vendor agreements to prevent future breaches.

Minimize future risks

Take proactive steps to prevent future breaches. Here's what you can do: 

1. Improve password management with tools like NordPass. Here are the steps you can take:
   • Enforce strong password policies.
   • Regularly monitor exposed passwords.
   • Consider disabling Guest Sharing.
   • Enforce User Provisioning.
   • Monitor other domains for breaches.
   • Promote email masks.
      
2. Conduct regular security awareness training to educate employees on best practices.
3. Review and update third-party security requirements, and ensure your internal security policies are robust and up-to-date.
4. Consider implementing threat exposure management platforms like NordStellar to gain deeper insights into your organization’s security gaps.

Additional Tips

• If the domain is unknown, we cannot provide further clarification with that specific entry. This occurs because data found on the dark web can be incomplete - we may find out about the total scope of data categories, but data itself may be missing. In either case, we will inform you when your email address or credit card is found, regardless of the data completeness. It is important that you change any passwords you may be using with the exposed credentials.
• We recommend checking out our guide on how to use the Data Breach Scanner for your company to better understand how to protect your organization.