Data has been stolen or leaked from my organisation

• You may accidentally give the criminals more of the information they want. 
• The sender of the blackmail message may not necessarily even have the data they claim to have. It may be only a scam.

• It is not guaranteed that paying will prevent criminals from using the data. The blackmailer may publish the data anyway.
• When the data has been stolen once, it is likely to have also spread to more than one criminal party. Even if you pay one blackmailer, another one may soon be demanding a new ransom.
• If you pay the ransom, you finance criminal activities.

Inform the bank and the police about it immediately. It may still be possible to interrupt the bank transfer.

Ransomware is software that has managed to enter the information system without authorisation. For example, it may lock the computer or mobile device or encrypt files. After that, it will ask for a ransom. 

Do not pay any ransom. Read the instructions regarding ransomware on the website No More Ransom maintained by EuropolOpens in a new window..

If bank account numbers of private individuals have been subject to a theft or a leak, inform the person in question about it. Bank account numbers are also personal data.

The information systems cannot be returned to normal operation until after it has been ensured that

• the vulnerabilities in the system have been rectified
• the intruder has been chased away
• the routes used by the intruder have been blocked.

• The intruder’s movements are visible in the log files. Log files are important evidence and they must not be destroyed. 
• If someone has broken into the system, the data in the system may have been altered. The data can no longer be trusted with certainty.
• The intruder will probably try to maintain their access to your information systems by constantly creating new “back doors”, or illegal routes.

Measures to be taken after the acute situation has passed are explained in more detail on page Consider the following after the most acute situation.

1. The authorities. In many cases, informing the authorities about data security and data protection problems is governed by law. Submit all essential information to the authorities without delay. Do no communicate about the matter to anyone else but the authorities before you have blocked the acute data security vulnerabilities.
2. The organisation’s employees. Tell the employees about the incident if it concerns them, affects their work or if it has a significant effect on the organisation's operation. Instruct them on what and how they can talk about the matter outside the organisation. Encourage the personnel to tell those investigating the matter all the additional information and suspicions related to the incident.
3. Cooperation partners, subcontrators and other stakeholders related to the incident. Tell the cooperating parties about the incident if it may affect your cooperation or the operation of your cooperating party. Take into account all possible agreements concerning your cooperation. Explain how you would like information about the matter to be communicated in public.
4. Customers related to the incident. Tell the customers if the incident concerns their data or affects the services received by them. Customers must be informed as quickly as possible if this can prevent potentional harmful effects on them. Give the customers clear instructions on what to do to prevent further damage. Tell the customers about their rights related to their privacy protection and how they will get more information on the incident.
5. Informing the general public and the media is not obligatory. However, in more serious cases, it may be a good idea for your organisation to communicate information about the matter before becomes public knowledge some other way. By reporting yourself, you can better influence what is said about it and how in public. If the data leak has been significant from society’s point of view, the media is likely to be interested in it. It is then necessary for your organisation to prepare for contact requests from the media. 

Also remember to communicate regularly about the situation and the progress of rectifying it.

If the data leak concerns a large number of customers, you should prepare yourselves for a large number of people contacting you. You can prepare for it, for example, by 

• drawing up a Frequently asked questions section for your website 
• organising a new channel for contacting your organisation, through which customers can request more information on the matter.

Always reply to contact requests from the media. Prepare for contact requests from the media by planning answers to possible questions. Agree on who (one or several people) will reply to the contact requests.

The media are usually interested in the following details: 

• what has happened and when
• how it has been possible for this to happen
• how the incident is investigated
• are the police investigating the matter
• what kind of data has been leaked, stolen or compromised
• what the risks caused by what has happened are and who are the risks are caused to
• is the offender known
• are any parties within the organisation suspected of anything criminal
• How is it ensured that a similar incident will not happen again?

Direct the persons whose personal data has been stolen or leaked to read instructions in the guide My personal data has been stolen or leaked.

The next page will explain in more detail what your organisation must report to the authorities and the persons themselves if their privacy protection has been compromised.

For example, you can reorganise the operation so that the employees required in the investigation, communications and customer services tasks are transferred from other less critical areas of operation. This way, you can allocate human resources to efficient management of the acute situation.