The 5 Data Breach Stages

In this article:

Detect Security Vulnerabilities in Your Web Apps and APIs
Scan now for free

According to the 2018 Global Risk Report that the World Economic Forum released this year, Cyberattacks are among the Top 5 Risks for Global Stability in terms of Likelihood and Impact. A data breach caused by a cyberattack can have an incredible impact on any country, corporation, or a business owner.

Most people are aware of the threat that cybercrime is by now. However, many still see themselves as safe because they are “Too small to be hacked, “Have nothing that hackers would want, “or find some other reason for their negligence.

Hacking attacks are not a matter of “if” anymore — they’re a matter of „when“!

The problem with this mismanagement form shows itself once a data breach occurs since the most costly part is how it is managed. Therefore, to help you avoid any mistakes during the usual stages of a data breach, I will walk you through each stage and recommend tackling each situation.

The Alert

I call this stage the alert stage because you could see any of the following signals as alerts. You should also be alert from the very first moment you experience any problem with your IT infrastructure.

This is usually the first stage in any data breach that companies face. It starts with yourself or your users (in and outside the company) feeling something odd. For example, a part of your application might work slower; users are shown weird pop-up ads, or e-mails are sent to spam. These are the first warnings that you should inspect carefully. Even worse indicators are that your data is not accessible anymore or your website provider has taken down your site.

These signals signal that your application, company, or data has been hacked. To better understand how to detect these and other indicators quickly, you can also look at my previous article: 7 Signs that your Website has been hacked.

Suppose any of the signals mentioned above have surfaced in your company. In that case, you need to act fast and investigate the issue intensively since mismanagement in an early stage can already lead to a loss of customer trust and more delayed remediation of the vulnerability.

Data Leakage

This is where data breaches show their primary and direct impact. This is the hacking part where the attacker extracts data or stops you from operating your business.

Either this part (e.g., you cannot access your data) or has already happened (customer or business data or other sensitive information has been stolen). It is up to your management how fast your company will be up and running again. This is when it is also shown to keep your public image or if your reputation goes down the drain (see Aftermath). In any way, you will experience a decrease in your application visits since users cannot access it or are less willing to use it until you fix the issue. The subsequent loss in revenue is the first and direct cost associated with the data breach.

Whether it only impacts your internal operations or customer data has been extracted, you should consider giving a public statement or sending out a notification to your customers to retain your integrity and public trust.

During this stage, you might ask yourself how long the data breach has been open and how long it will last since you want to return to business as early as possible. According to the WhiteHat Web Applications Security Statistics Report, it takes about 100 to 245 days to fix an existing data breach. However, this mostly depends on how fast the problem is detected and the vulnerability itself.


This stage should already go hand in hand with the prior stage to minimize the data breach impact.

So it is now clear to you that you’ve been hacked… What now?

First of all, you need to ask yourself these three questions:

  • Where is the impact?
  • How did it happen?
  • What needs to be done?

Then, for the latter question, we can give you some guidelines.

It would be best to start by freezing everything and isolating your network so that no more damage can be done. Then, investigators can look into the company’s security status at the moment closest to the data breach.

Once you’ve done that, you can start to figure out what kind of vulnerability led to the data breach and how it can be fixed. This will probably take a lot of time and require external advice to ensure the vulnerability is remediated correctly. For help on these matters, you can always have a look at blog articles.

During the remediation, thorough work and open communication can improve your standing with essential stakeholders and reduce tension in the aftermath stage .

Ebook about the prevention of the OWASP Top 10 threats

Prevention Guide

Big fat growing cybersecurity ebook

This ebook shows best practices and prevention techniques for keeping vulnerabilities away and securing your web apps.



So you found the vulnerability, fixed it, and your security seems fine now. However, this does not imply the end of it…

You will have to deal with several things affecting your business in the coming time. First, you will experience the indirect impacts of a data breach that will keep you busy for quite some time. And you will have to deal with a lot of grief.

Primarily, some customers, suppliers, business partners, or the government might file a lawsuit or penalize you for not handling their data well enough. Especially for companies in the EU, the new GDPR leads to significant penalties for insufficient personal data supervision. This will lead to many legal costs and hours spent, and public knowledge of your data breach will also impact the second issue.

You will need a lot of time to regain your customers’ trust. Depending on how well you managed the breach and your customers’ dependence on your service or product, you will need to rebuild your reputation and show that you have learned from your prior security deficit.

An eventual revenue cut or occurring legal costs can be considered the indirect costs your company will face. You will have to deal with this secondary impact of the data breach for quite some time.

Honesty and openness to all stakeholders are critical in this stage. You won’t regain trust by playing down what happened and calling out actions you won’t take, which leads us to the last stage — ”Pre”-Caution!


This stage should be the first for every company with web applications or sensible data. Unfortunately, the following measures are only taken once a company has already been successfully hacked most of the time. Following a data breach, most companies learn from their mistakes and set up a functioning web application security system.

Most importantly, you must establish a security culture within your organization and educate your employees on IT security, regardless of their division. Cybercrime affects every inch of a company and not just the IT department. If employees are alert to security issues and have basic knowledge, they might detect wrong signals earlier.

Nowadays, most development teams release new software updates regularly and work in an agile development environment. These releases must be thoroughly revised to impact the organization’s security status.

This cannot be done once a month. To be safe at all times,s companies should implement continuous security in their developing environment. This means that every new release is verified before it creates a possible attack surface.

devops 1 The 5 Data Breach Stages

Of course, regular penetration tests would cost way too much time and money to be implemented in every development stage, which is why the answer lies in automated security.

The Crashtest Security Suite offers a fully automated security scanner that lets you check your project’s security status anytime. This reduces the time and, therefore, the money spent on security. In addition, continuous security can minimize the risk of a data breach and decrease the probability of indirect IT security costs (legal costs, loss of revenue, etc.) affecting your business. For more best practices regarding IT security, check out our Whitepaper.

Crashtest Security is a german-based IT security company specializing in fully automated penetration tests. The state-of-the-art security scanner detects vulnerabilities and gives the developer feedback and advice on existing problems. An additional dashboard shows developers and managers the company’s current security status in a single view to make IT security as transparent as possible.

Get a quick security audit of your website for free now

We are analyzing
Scanning target
Scan status: In progress
Scan target:
Date: 17/09/2023
Crashtest Security Suite will be checking for:
Information disclosure Known vulnerabilities SSL misconfiguration Open ports
Complete your scan request
Please fill in your details receive the
quick security audit by email.
Security specialist is analyzing your scan report.
То verify your identity please provide your phone/mobile:
Thank you.
We have received your request.
As soon as your security audit is ready, we will notify you.