Data Breach / Exfiltration Playbook¶

Regulatory Clocks Are Running

From the moment a breach is confirmed (or reasonably suspected), regulatory notification deadlines begin. GDPR: 72 hours to DPA. SEC: 4 business days for material incidents. Do not wait for full forensic certainty — notify Legal immediately upon suspicion.

Metadata¶

Field	Value
Playbook ID	IR-PB-006
Severity	Critical (P1)
RTO — Containment	< 2 hours
Owner	IR Lead
Required Co-owners	Legal, Privacy Officer, Compliance, Communications
Last Reviewed	2025-01-01

Trigger Conditions¶

Activate this playbook on any of the following:

[ ] DLP alert: large volume of sensitive data transmitted to external destination
[ ] Proxy/firewall alert: outbound transfer exceeding threshold (e.g., >500MB to unknown IP)
[ ] SIEM: insider behavior + network anomaly correlation (user + large upload)
[ ] Cloud storage: S3/Blob/GCS bucket made public or mass pre-signed URL generation
[ ] Third-party notification: vendor, partner, or law enforcement notifies of data found externally
[ ] Dark web monitoring: company data observed on paste site, hacker forum, or for-sale listing
[ ] EDR: compression + large file copy to removable media or cloud sync folder
[ ] Email gateway: sensitive attachment sent to personal/competitor domain
[ ] Ransomware incident with confirmed exfiltration (double-extortion model)

Decision Tree¶

flowchart TD
    A([Breach Trigger Detected]) --> B[Notify IR Lead + Legal\nDo NOT touch exfil channel yet\nPreserve evidence first]
    B --> C[Classify: What data\nwas potentially exfiltrated?]
    C --> D{Data type?}
    D -- PII/PHI/Financial/IP --> E[Activate full breach\nresponse — this playbook]
    D -- Non-sensitive / public data --> F[Document. Lower severity.\nStandard IR track.]
    E --> G[Contain exfil channel\nwithout tipping off attacker]
    G --> H[Determine scope:\nHow many records?\nWhich data subjects?]
    H --> I{Can scope be\nquantified within 24h?}
    I -- Yes --> J[Proceed to\nnotification matrix]
    I -- No --> K[Notify Legal: partial scope\nNotify regulators with\n'investigation ongoing' caveat]
    J --> L[Issue legal hold\nPreserve all evidence]
    K --> L
    L --> M[Draft notifications\nper regulatory matrix]
    M --> N([Remediate + Monitor\nPost-incident review])

Phase 1 — Data Classification¶

Determine the classification of data involved before any notification:

Data Type	Examples	Key Regulations
PII	Name, SSN, DOB, address, email, phone	GDPR, CCPA, state breach laws
PHI	Medical records, diagnoses, insurance IDs	HIPAA, HITECH
Financial data	Credit card numbers, bank account numbers	PCI DSS, GLBA
Credentials	Usernames/passwords, API keys, private keys	All applicable + operational risk
Intellectual Property	Trade secrets, source code, R&D data	Trade secret law, competitive harm
Employee data	HR records, payroll, performance data	GDPR, state laws
Minor data (COPPA)	Data of users under 13	COPPA

Data Classification Quick-Query¶

# Search for PII patterns in extracted/exfil'd files (if file copies available)
# SSN pattern
grep -rP "\b\d{3}-\d{2}-\d{4}\b" /evidence/exfil_files/ > ssn_hits.txt

# Credit card numbers (Luhn-valid patterns)
grep -rP "\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13})\b" \
  /evidence/exfil_files/ > cc_hits.txt

# Email addresses
grep -rP "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b" \
  /evidence/exfil_files/ > email_hits.txt

# Health record keywords
grep -riP "(diagnosis|patient|DOB|date.of.birth|prescription|ICD-10|NPI)" \
  /evidence/exfil_files/ > phi_keywords.txt

Phase 2 — Scope Determination¶

2.1 Record Count Estimation¶

[ ] Query source database/system for records accessible to compromised account
[ ] Cross-reference DLP logs for volume of data moved (file count, byte count)
[ ] Identify time window of exfiltration from log analysis
[ ] Determine if partial or full dataset was accessed

-- Example: Determine scope of compromised database access
-- Query based on access logs from DBMS (SQL Server, PostgreSQL)
SELECT
    user_name,
    object_name,
    statement,
    COUNT(*) AS query_count,
    MIN(event_time) AS first_access,
    MAX(event_time) AS last_access
FROM sys.dm_audit_actions_log  -- or equivalent audit table
WHERE user_name = 'compromised_user'
  AND event_time BETWEEN '2024-01-01' AND '2024-01-31'
GROUP BY user_name, object_name, statement
ORDER BY last_access DESC;

2.2 Data Subject Identification¶

[ ] Identify which specific individuals' data was in scope
[ ] Export list of affected data subjects with: name, contact info, data type affected
[ ] Assess risk level to individuals (financial harm, identity theft, physical safety)
[ ] Segment by jurisdiction (EU subjects, CA residents, NY residents, etc.)

Phase 3 — Contain¶

3.1 Block Exfiltration Channel¶

# If exfil is via outbound HTTPS to a specific IP/domain:
# Firewall — block egress immediately
iptables -A OUTPUT -d <exfil-destination-ip> -j DROP
# Palo Alto / Cisco ASA — add to block list via CLI or API

# If exfil is via DNS tunneling:
# Block the attacker's DNS resolver or domain at internal DNS
# Bind9 example — add to Response Policy Zone (RPZ):
# attacker-dns-domain.com CNAME .  # NXDOMAIN all queries

# If via cloud sync (OneDrive, Dropbox, Box):
# Block cloud storage domains at proxy
# Squid / Zscaler / Netskope — add category block or specific domain block

# If exfil is from cloud storage bucket (S3, GCS):
# Revoke public access immediately
aws s3api put-public-access-block --bucket affected-bucket \
  --public-access-block-configuration \
  "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

3.2 Endpoint Isolation¶

# Isolate endpoint where exfil originated (via EDR)
# CrowdStrike
falconctl contain --hostname exfil-source-host

# MDE
$DeviceId = "<DEVICE_ID>"
Invoke-RestMethod -Method Post `
  -Uri "https://api.securitycenter.microsoft.com/api/machines/$DeviceId/isolate" `
  -Headers @{Authorization="Bearer $token"} `
  -Body '{"Comment":"Data breach IR — IR-PB-006","IsolationType":"Full"}'

Phase 4 — Evidence Preservation¶

Regulatory investigations and litigation require intact, authenticated evidence. Do not alter log sources.

Evidence Collection Checklist¶

[ ] Network logs: firewall, proxy, NetFlow — capture and hash immediately
[ ] Endpoint artifacts: EDR telemetry, browser history, file system timeline
[ ] Email/messaging logs: sent items, DLP quarantine, attachment logs
[ ] DLP event logs: full record of all alerts and allowed events in the exfil window
[ ] Database access logs: query logs for affected data stores
[ ] Cloud storage access logs: S3 access logs, Azure Storage analytics, GCS data access logs
[ ] SIEM events: raw event export for the incident window

# Hash all collected evidence
find /evidence/ -type f -exec sha256sum {} \; > /evidence/manifest_$(date +%Y%m%d_%H%M%S).sha256
# Sign the manifest
gpg --armor --detach-sign /evidence/manifest_$(date +%Y%m%d_%H%M%S).sha256

Legal Notification Matrix¶

Consult Legal before sending any notification. Timing and content have legal implications.

Notification	Recipient	Deadline	Trigger
DPA notification	Lead Supervisory Authority	72 hours from when breach was "known"	Any personal data breach
Individual notification	Affected EU data subjects	"Without undue delay"	High risk to individuals' rights
DPO notification	Internal Data Protection Officer	Immediately	All breaches

GDPR Article 33 DPA Notification must include:
  □ Nature of the breach (categories + approx. number of records)
  □ DPO contact details
  □ Likely consequences of the breach
  □ Measures taken or proposed
Note: "Likely" not "confirmed" — notify even under uncertainty; supplement later.

HIPAA (US — Health)¶

Notification	Recipient	Deadline	Trigger
HHS OCR notification	U.S. Dept of HHS	60 days from discovery	Any unsecured PHI breach
Individual notification	Affected individuals	60 days from discovery	All HIPAA breaches
Media notification	Prominent media in affected state	60 days from discovery	>500 affected in a single state
Business Associate notification	Covered Entity (if you are a BA)	60 days	BA must notify CE

HIPAA Breach Notification letter must include:
  □ Description of what happened (date, date discovered)
  □ Types of PHI involved
  □ Steps individuals should take to protect themselves
  □ What you are doing to investigate and prevent recurrence
  □ Contact information (toll-free number active for 90 days)

U.S. State Breach Notification Laws¶

State	Law	Deadline	Trigger	Recipient
California	CCPA / AB 1130	Expedient / "Most expedient time"	PI of CA residents	CA AG + affected residents
California	SB 46 (login credentials)	Expedient	Credentials breached	CA AG + individuals
New York	SHIELD Act	Expedient	NY residents' private info	NY AG + individuals
New York	NYDFS Part 500	72 hours	Cybersecurity event (covered entities)	NYDFS (online portal)
Massachusetts	201 CMR 17	Expedient	MA residents	MA AG + individuals
Texas	TBIA	60 days	TX residents	TX AG + individuals
Florida	FDBNA	30 days	FL residents	FL AG + individuals

Multi-state breach: apply the strictest applicable deadline across all states. Consult counsel for simultaneous filings.

Federal Sector-Specific Requirements¶

Regulation	Sector	Deadline	Recipient
SEC Rule 10-K / 8-K	Public companies	4 business days (material)	Form 8-K Item 1.05 to SEC EDGAR
GLBA Safeguards Rule	Financial institutions	30 days (FTC rule)	FTC + affected customers
FISMA	Federal agencies	1 hour (US-CERT)	CISA / US-CERT
FERPA	Educational institutions	Expedient	Parents / eligible students
COPPA	Child-directed services	Expedient	FTC

International Notifications¶

Country/Region	Law	Deadline	Recipient
UK	UK GDPR / DPA 2018	72 hours	ICO (ico.org.uk)
Canada	PIPEDA	Expedient (significant harm)	OPC + affected individuals
Australia	Privacy Act (NDB Scheme)	30 days (once eligible)	OAIC + affected individuals
Brazil	LGPD	"Reasonable timeframe" / ANPD guidance: 2 business days	ANPD + affected individuals
Singapore	PDPA	3 business days (notifiable)	PDPC + affected individuals

Breach Notification Letter Templates¶

Individual Notification — Generic PII Breach¶

Subject: Important Notice About Your Personal Information

[Organization Letterhead]
[Date]

Dear [Name / "Valued Customer"],

We are writing to inform you of a data security incident that may have affected
your personal information held by [Organization Name].

WHAT HAPPENED
On [date], we discovered that [brief, plain-language description of the incident].
We believe this incident occurred between [start date] and [end date].

WHAT INFORMATION WAS INVOLVED
The information that may have been affected includes: [list specific data elements —
e.g., name, email address, date of birth, account number].

[If SSN/financial]: We have no evidence that this information has been misused,
but we are providing this notice out of an abundance of caution.

WHAT WE ARE DOING
We have [taken the following steps...]. We are also [working with law enforcement /
a leading cybersecurity firm / regulators] to investigate and prevent recurrence.

WHAT YOU CAN DO
  - Review your account statements for unusual activity
  - Consider placing a free credit freeze with the three major bureaus (Equifax,
    Experian, TransUnion)
  - Monitor your credit report at AnnualCreditReport.com
  - [If SSN involved: Consider an IRS Identity Protection PIN]

FOR MORE INFORMATION
If you have questions, please contact our dedicated response line:
  Phone: [toll-free number — active for minimum 90 days]
  Email: [dedicated breach response email]
  Hours: [business hours]

We sincerely apologize for this incident and any concern it may cause.

Sincerely,
[Name, Title]
[Organization]

Regulatory Body Contact Information¶

Regulator	Jurisdiction	Contact
HHS OCR	HIPAA (US)	hhs.gov/ocr/privacy
FTC	GLBA, COPPA (US)	ftc.gov/report
SEC	Public companies (US)	sec.gov/tcr
CISA	Federal / Critical Infra (US)	cisa.gov/report
FBI IC3	All cyber incidents (US)	ic3.gov
ICO	UK GDPR	ico.org.uk
EDPB	EU GDPR (coordination)	edpb.europa.eu
NY AG	NY SHIELD Act	ag.ny.gov/internet-bureau
NYDFS	NY financial entities	dfs.ny.gov
CA AG	CCPA	oag.ca.gov/privacy
OAIC	Australia Privacy Act	oaic.gov.au
PDPC	Singapore PDPA	pdpc.gov.sg

Recovery and Remediation¶

5.1 Remediate the Root Cause¶

[ ] Patch or mitigate the vulnerability exploited for exfiltration
[ ] Close the data access path that was abused (overly permissive access, unprotected bucket)
[ ] Review and tighten DLP policy thresholds
[ ] Implement additional data access controls (zero trust, JIT access for sensitive data stores)

5.2 Credit Monitoring / Identity Protection (if PII breached)¶

[ ] Engage credit monitoring vendor (Experian, Kroll, AllClear ID) for affected individuals
[ ] Duration: typically 12–24 months free credit monitoring
[ ] Budget: ~$5–15/person/year depending on service level

5.3 Post-Incident Review¶

[ ] Root cause analysis: how was data exfiltrated? What control failed?
[ ] DLP policy review: would better DLP rules have prevented or detected this earlier?
[ ] Data minimization: is all this data still necessary? Implement retention limits.
[ ] Access control review: were users over-permissioned for the data they could access?

Incident Runbook Checklist¶

Detection & Triage¶

[ ] Breach trigger confirmed as true positive
[ ] IR Lead, Legal, Privacy Officer on bridge
[ ] Data classification complete — regulated data confirmed in scope
[ ] Regulatory clock start time documented

Contain¶

[ ] Exfiltration channel blocked
[ ] Affected endpoints isolated
[ ] Cloud storage access revoked (if applicable)
[ ] Attacker credentials disabled

Evidence & Scope¶

[ ] All log sources preserved and hashed
[ ] Legal hold issued
[ ] Record count estimated
[ ] Data subject list compiled (by jurisdiction)

Notifications¶

[ ] Legal counsel reviewed all notifications before sending
[ ] GDPR — DPA notified within 72h (if applicable) — log date/time
[ ] HIPAA — HHS OCR notified within 60 days (if applicable) — log date
[ ] State AG notifications sent — log dates for each state
[ ] NYDFS/SEC/GLBA notifications sent (if applicable) — log dates
[ ] Individual notifications drafted and approved
[ ] Individual notifications sent — log date/method of delivery
[ ] Cyber insurance claim filed

Recovery¶

[ ] Root cause remediated
[ ] Credit monitoring vendor engaged (if PII breach)
[ ] Data access controls reviewed and hardened
[ ] DLP policies updated
[ ] Post-incident review completed and actioned