What to Do If You’ve Experienced a System Breach

The moments after you have experienced a breach are of the utmost importance and can significantly impact your organization and the effectiveness of a forensic investigation. If you suspect a computer systems intrusion or breach, you should:

Immediately Contain and Limit the Exposure

The goal of containing and limiting the exposure is to keep the breach from spreading. If you are unable or uncomfortable performing any of the following steps, the Sikich Forensic Team will be able to assist you.

  • Do NOT access or alter compromised systems (e.g., do not log on or change passwords).
  • Do NOT turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the network cable). If for some reason it is necessary to power off the machine, unplug the power source.
  • Do NOT shutdown the system or push the power button (because it can sometimes create a “soft” shutdown), which modifies system files.
  • Preserve logs and electronic evidence. A forensic hard drive image will preserve the state on any suspect machines. Any other network devices (such as firewalls, IDS/IPSes, routers, etc.) that have logs in the active memory should be preserved. Keep all past backup tapes, and use new backup tapes for subsequent backups on other systems.
  • Log all the actions you have taken, including composing a timeline of any knowledge related to the incident.
  • If using a wireless network, change SSID on the wireless access point (WAP) and other machines that may be using this connection (with the exception of any systems believed to be compromised).
  • Be on high alert and monitor all systems.

Alert All Necessary Parties Within 24 Hours

Be sure to notify:

  • Your internal information security group and incident response team, if applicable.
  • The card associations and your merchant bank if the breach is part of a cardholder data segment.
  • The local FBI office and/or U.S. Secret Service (file a complaint online at

If you have experienced a data breach, get in touch with experts right away.

Data breach hotline: 888.403.3438

We understand time is critical. Contact us and our data breach experts will respond as soon as possible.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author