To get the best help for your situation, first answer the questions on the Preliminary questions page.
Data has been stolen or leaked from my organisation
Determine what has happened
Act swiftly
If suspicions arise that the data security in your organisation has been compromised, start to investigate the incident immediately.
This way, the possible damages may remain smaller and you know that you did all you could in the situation.
Gather together the persons in responsible positions
Swiftly gather together the persons responsible for your organisation’s
- security
- data security
- data protection
- preparedness and continuity
- communications.
The most senior leadership of the organisation should usually be made aware of the matter. If the problem concerns an information system, the person responsible for the information system must also be involved in the communication, as well as the possible representative of the system supplier.
Between the responsible persons, you can make decisions on what measures should be taken.
Determine what has happened
Find out
- what data it is that has been compromised
- what has been done to this data (viewing, copying, altering, deletion)
- whether the security of the data is still at risk.
How is a data breach investigated?
The investigation of a data breach made to a technical environment is usually carried out using the log data on the systems, applications, servers and services.
The logs can be used to find out
- what happened
- why it happened
- when it happened.
Read about data breaches and log data in more detail in the National Cyber Security Centre’s publication Guide for detecting data breaches (in Finnish)Opens in a new window..
Assess the risks and decide on the measures to be taken
When you are reasonably sure about what has happened, assess
- what may follow from what has happened
- how likely it is that the different consequences will be realised
The risk assessment helps you decide
- what measures should be taken straight away to prevent further damage and to solve the situation
- what measures should be prepared in the long term.
Document the events and the measures taken
- Keep a diary of the events and the decisions and measures that have been taken.
- Make sure that the log data of the information systems related to the incident are stored and unchanged and that copies of it are stored in a secure place.
- Take backup copies of all documents related to the incident. For example, also of the email messages discussing the matter.
The information will be needed in investigating the incident and in the possible criminal investigation and court proceedings.