The 5 Data Breach Stages

In this article:

Detect Security Vulnerabilities in Your Web Apps and APIs
Scan now for free

According to the 2018 Global Risk Report, the World Economic Forum released this year, Cyberattacks are among the Top 5 Risks for Global Stability in Likelihood and Impact. A data breach caused by a cyberattack can indeed have an incredible impact on any country, corporation, or a business owner.

Most people are aware of the threat that cybercrime is by now. However, many still see themselves as safe because they are „Too small to be hacked, “Have nothing that hackers would want, “or would find some other reason for their negligence.

Hacking attacks are not a matter of “if” anymore — they’re a matter of „when“!

The problem with this mismanagement form shows itself once a data breach occurs since the most costly part is how it is managed. Therefore, to help you avoid any mistakes during the usual stages of a data breach, I will walk you through each stage one by one and recommend tackling each situation.

The Alert

I call this stage the alert stage not only because you could see any of the following signals as alerts but because you should also be alert from the very first moment you experience any problem with your IT infrastructure.

This is usually the first stage in any data breach that companies face. It starts with yourself or your users (in- and outside the company) feeling something odd. For example, a part of your application might work slower; your users are shown weird pop-up ads, or e-mails are sent to spam. These are the first warnings which you should inspect carefully. Even worse indicators are that your data is not accessible anymore or your website provider took down your site.

These are all signals that your application, company, or data has been hacked. To better understand how to detect these and other indicators quickly, you can also look at my previous article: 7 Signs that your Website has been hacked.

If any of the signals mentioned above have surfaced in your company, you need to act fast and investigate the issue intensively since mismanagement in an early stage can already lead to a loss of customer trust and more delayed remediation of the vulnerability.


Data Leakage

This is where data breaches show their main and direct impact. This is the actual hacking part where the attacker extracts data or stops you from operating your business.

Either this part is currently happening (e.g., you cannot access your data) or has already happened (customer or business data or other sensitive information has been stolen). It is up to your management how fast your company will be up and running again. This is when it is also shown to keep your public image or if your reputation goes down the drain (see Aftermath). In any way, you will experience a decrease in your application visits since users cannot access it or are less willing to use it until you fix the issue. The following loss in revenue is the first and direct cost associated with the data breach.

Whether it only impacts your internal operations or whether customer data has been extracted, you should consider giving a public statement on the matter or sending out a notification to your customers to retain your integrity and public trust.

During this stage, you might ask yourself how long the data breach has been open and how long it will last since you want to return to business as early as possible. According to the WhiteHat Web Applications Security Statistics Report, it takes about 100 to 245 days to fix an existing data breach, but this mostly depends on how fast the problem is detected and the vulnerability itself.


This stage should already go hand in hand with the prior stage to minimize the data breach impact.

So it is now clear to you that you’ve been hacked… What now?

First of all, you need to ask yourself these three questions:

  • Where is the impact?
  • How did it happen?
  • What needs to be done?

Then, for the latter question, we can give you some guidelines.

It would be best to start by freezing everything and isolating your network so that no more damage can be done. Then, investigators can look into the company’s security status at the moment closest to the data breach.

Once you’ve done that, you can start to figure out what kind of vulnerability led to the data breach and how it can be fixed. This will probably take up a lot of time and require some external advice to ensure the vulnerability is remediated correctly. For help on these matters, you can always have a look at blog articles.

During the remediation, thorough work and open communication can improve your standing with important stakeholders and lead to less tension in the aftermath stage .


So you found the vulnerability, fixed it, and your security seems fine now. However, this does not imply the end of it…

You will have to deal with several things affecting your business in the coming time. First, you will experience the indirect impacts of a data breach that will keep you busy for quite some time. And you will have to deal with a lot of grief.

Primarily, some customers, suppliers, business partners, or the government might file a lawsuit or penalize you for not handling their data well enough. Especially for companies in the EU, the new GDPR leads to significant penalties for insufficient personal data supervision. This will lead to many legal costs and hours spent, and public knowledge of your data breach will also impact the second issue…

You will need a lot of time to regain your customers’ trust. Depending on how well you managed the breach and how dependent your customers are on your service or product, you will need to rebuild your reputation and show that you have learned from your prior security deficit.

An eventual revenue cut or occurring legal costs can be considered the indirect costs your company will face. You will have to deal with this secondary impact of the data breach for quite some time to come.

Honesty and openness to all stakeholders are critical in this stage. You won’t regain trust by playing down what happened and calling out actions you won’t take, which leads us to the last stage — “Pre”-Caution!


Preferably, this stage should be the first one for every company with web applications or sensible data. Unfortunately, the following measures are only taken once a company has already been successfully hacked most of the time. Following a data breach, most companies learn from their mistakes and start setting up a functioning web application security system.

Most importantly, you need to establish a security culture within your organization and educate your employees on IT security no matter which division they work in. Cybercrime affects every inch of a company and not just the IT department. If employees are alert to security issues and have basic knowledge, they might detect bad signals earlier.

Nowadays, most development teams release new software updates regularly and work in an agile development environment. That is why any of these releases must be thoroughly revised to impact the organization’s security status.

Obviously, this cannot be done once a month… To be safe at all times,s companies should implement continuous security in their developing environment. This means that every new release is verified before it creates a possible attack surface.

devops 1 The 5 Data Breach Stages

Of course, regular penetration tests would cost way too much time and money to be implemented in every development stage, which is why the answer lies in automated security.

The Crashtest Security Suite offers a fully automated security scanner that lets you check your project’s security status at any point in time. This reduces the time and, therefore, also the money spent on security. You can minimize the risk of a data breach and decrease the probability of indirect IT security costs (legal costs, loss of revenue, etc.) affecting your business through continuous security. For more best practices regarding IT security, you can also check out our Whitepaper!

Go ahead and secure your business now!

Crashtest Security is a german-based IT security company specializing in fully automated penetration tests. The state-of-the-art security scanner detects vulnerabilities in real-time and gives the developer feedback and advice on existing problems. An additional dashboard shows developers and managers the company’s current security status in a single view to make IT security as transparent as possible.