Go directly to contents.
What should I do?

Data has been stolen or leaked from my organisation


Do the following if your organisation has become subject to a data leak or a data breach.

Gather together the persons in responsible positions

To create a situation picture, you will need the persons who are responsible for your organisation’s

  • security
  • data security
  • data protection
  • preparedness 
  • communications
  • most senior leadership
  • information systems.

Determine what has happened

Find out

  • what data has been compromised
  • what has been done to the data
  • whether the security of the data is still at risk.

Assess the risks


  • what may follow from what has happened 
  • how likely it is that the different consequences will be realised.

Decide on the measures to be taken


  • what measures should be taken immediately
  • what measures should be prepared in the long term.

Document what has happened, the decisions and the measures taken

  • Keep a diary of the events and the decisions and measures that have been taken.
  • Make sure that the log data on the information systems related to the incident are stored. 
  • Take backup copies of all documents related to the incident.

Do not agree to any demands

  • Do not answer to the blackmail messages.
  • Do not pay any ransom.
  • Do not delete the blackmail message you received.

If necessary, cancel the online banking codes and debit cards

If the online banking codes or debit and credit card details have ended up in the hands of outsiders, contact the bank straight away.

Limit the impacts of the data security vulnerability

Assess whether your organisation needs to

  • shut down the information systems or isolate them from the network
  • increase the monitoring of the systems or the internal network
  • restrict the flow of information between systems 
  • prevent or prohibit the use of the systems.

Lock or renew usernames if necessary

If the data security of the usernames and passwords of the members of your organisation is at risk, lock the usernames related to the incident temporarily.

Chase the possible intruder away from the information system

Determine from the log data what has happened in the information systems. Chase the intruder away by preventing their access to the systems. 

The normal operation of the information systems can be resumed once it has been ensured that

  • the vulnerabilities in the system have been rectified 
  • the intruder has been chased away 
  • the routes used by the intruder have been blocked.

Plan communication about the incident

Plan how you will communicate about the incident internally and externally. Decide what, who to, when and how you will communicate.

Remember to

  • stay truthful
  • avoid speculation
  • say you are sorry and apologise for the inconvenience caused by the situation
  • not reveal anything that compromises data security.

Submit a notification to the NIS competent authority in your sector

Make the necessary changes to the information systems

Schedule and plan technical modifications with the system supplier. For example, you may have to

  • recover data from a backup copy
  • repair vulnerabilities
  • update systems or reinstall them
  • compensate for or acquire new devices
  • change passwords. 

Consider the following after the most acute situation has passed

  • Make the necessary changes to your organisation’s processes.
  • Apply for possible compensation for breaches of contract, compensation from insurances or compensation for damage.
  • Note that your customer may demand that your organisation pays compensation for having breached the General Data Protection Regulation.
  • Note that the Office of the Data Protection Ombudsman may impose sanctions on your organisation if your organisation has not complied with the requirements of the General Data Protection Regulation. 
  • Improve data security, data protection and preparedness.

Are you satisfied with the content on this page?