Crashtest Security Blog

The 5 Stages of a Data Breach

Nov 13, 2018 11:11:00 AM / by Leonard Basse



According to the 2018 Global Risk Report the World Economic Forum released this year, Cyberattacks are amongst the Top 5 Risks for Global Stability in terms of Likelihood and Impact. A data breach caused by a cyber attack can indeed have an incredible impact on any country, corporation or business owner.

Most people are aware of the threat that cyber crime is by now. However, many still see themselves as safe because they are „Too small to be hacked“, „Have nothing that hackers would want“ or would find some other reason for their negligence.

Hacking attacks are not a matter of “if” anymore — they’re a matter of „when“!


The problem with this form of mismanagement shows itself once a data breach occurs since the most costly part of it is how it is managed. To help you avoid any mistakes during the usual stages of a data breach I will walk you through each stage one by one and give some recommendations on how to tackle each situation.


The Alert

I call this stage the alert stage not only because you could see any of the following signals as alerts, but because you should also be alert from the very first moment you experience any problem with your IT infrastructure.

This is usually the first stage in any data breach that companies face. It starts with yourself or your users (in- and outside the company) feeling something odd. A part of your application might work slower, your users are shown weird pop-up ads or e-mails are sent to spam. These are first warnings which you should inspect carefully. Even worse indicators are that your data is not accessible anymore or that your website provider took down your site.

These are all signals that your application, company or data has been hacked. For a better understanding of how to quickly detect these and other indicators you can also have a look my previous article: 7 Signs that your Website has been hacked.

If any of the signals mentioned above have surfaced in your company, you need to act fast and investigate the issue intensively since mismanagement in an early stage can already lead to a loss of customer trust and a more delayed remediation of the vulnerability.


Data Leakage

This is where data breaches show their main and direct impact. This is the actual hacking part where the attacker extracts data or stops you from operating your business.

Either this part is currently happening (e.g. you cannot access your data) or has already happened (customer or business data or other sensible information has been stolen). It is up to your management, how fast your company will be up and running again. This is the point in time where it is also shown if you can keep your public image or if your reputation goes down the drain (see Aftermath). In any way you will experience a decrease in visits on your application since users are not able to access it or are less willing to use it until you fix the issue. The following loss in revenue is the first and direct cost associated with the data breach.

Depending on whether it only impacts your internal operations or whether customer data has been extracted you should consider giving a public statement on the matter or sending out a notification to your customers to retain your integrity and public trust.

During this stage you might ask yourself how long the data breach has been open and how long it will last, since you want to get back to business as early as possible. According to the WhiteHat Web Applications Security Statistics Report it takes about 100 to 245 days to fix an existing data breach but this is mostly depending on how fast the problem is detected as well as the vulnerability itself.



To minimize the impact of the data breach, this stage should already go hand in hand with the prior stage.

So it is now clear to you that you’ve been hacked... What now?

First of all you need to ask yourself these three questions:

  • Where is the impact?
  • How did it happen?
  • What needs to be done?

For the latter question we can give you some guidelines.

You should start by freezing everything and isolating your network so that no more damage can be done and so that investigators can look into the company’s security status at the moment closest to the data breach.

Once you’ve done that you can start to figure out what kind of vulnerability led to the data breach and how it can be fixed. This will probably take up a lot of time and require some external advice, to make sure the vulnerability is remediated correctly. For help on these matters you can always have a look at our Knowledge Base.

Thorough work and open communication during the remediation can improve your standing with important stakeholders and therefore lead to less tension in the next stage — the Aftermath.



So you found the vulnerability, fixed it and your security seems fine now. However this does not imply the end of it…

You will have to deal with several things affecting your business in the time coming. You will experience the indirect impacts of a data breach that will keep you busy for quite some time. And you will have to deal with a lot of grief.

Primarily, some customers, suppliers, business partners or the government might file a lawsuit or penalize you for not handling their data well enough. Especially for companies in the EU, the new GDPR regulation leads to significant penalties for insufficient supervision of personal data. This will not only lead to a lot of legal costs and hours spend, but also to public knowledge of your data breach, which will also have an impact on the second issue…

You will need a lot of time to regain your customers’ trust. Depending on how well you managed the breach and how dependent your customers are on your service or product, you will need to rebuild your reputation and show that you have learned from your prior security deficit.

An eventual revenue cut or occurring legal costs can be considered the indirect costs that your company will face. You will have to deal with this secondary impact of the data breach for quite some time to come.

Honesty and openness to all stakeholder is really important in this stage. You won’t regain trust by playing down what happened and calling out actions you won’t take. Which leads us to the last stage — “Pre”-Caution!



Preferably, this stage should be the first one for every company with web applications or sensible data. Unfortunately most of the time the following measures are only taken once a company has already been successfully hacked. Following a data breach, most companies learn from their mistakes and start setting up a functioning web application security system.

Most importantly you need to establish a security culture within your organisation and educate your employees on the matter of IT security no matter which division they work in. Cyber crime affects every inch of a company and not just the IT department. If employees are alert to security issues and have basic knowledge of it, they might detect bad signals at an earlier stage.

Nowadays, most development teams release new software updates on a regular basis and work in an agile development environment. That is why it is important that any of these releases are thoroughly revised on their impact on the security status of the organisation.

Obviously this cannot be done once a month… To be save at all times companies should implement continuous security into their developing environment. This means that every new release is verified before it creates a possible attack surface.


Of course, regular penetration tests would cost way too much time and money to be implemented in every development stage which is why the answer lays in automated security.

The Crashtest Security Suiteoffers a fully automated security scanner that lets you check the security status of your project at any point in time. This reduces the time and therefore also the money spent on security. Through continuous security you can minimize the risk of a data breach and decrease the probability that indirect IT security costs (legal costs, loss of revenue etc.) are affecting your business. For more best practices regarding IT security you can also check out our WhitePaper!

Go ahead and secure your business now!

Crashtest Security is a german-based IT security company specialized on fully automated penetration tests. The state-of-the-art security scanner detects vulnerabilities in real time and gives the developer feedback and advice on existing problems. An additional dashboard shows developers and managers the company’s current security status in a single view to make IT security as transparent as possible.


Topics: SecurityManagement

Leonard Basse

Written by Leonard Basse

I write about IT Security news, practices and events.

For more information on all topics around continuous security, visit our continuous security page:

Continuous Security Topics