Step 1: Survey the damage
Following the discovery of the breach the designated information security team members
need to perform an internal investigation to determine the impact on critical business functions.
This deep investigation will allow the company to identify the attacker, discover unknown security vulnerabilities, and determine what improvements need to be made to the company’s computer systems.
If Amazon data is involved, see additional steps and considerations in step 7.
Step 2: Attempt to limit additional damage
The organization should take steps to keep an attack from spreading. Some preventative
• Re-routing network traffic
• Filtering or blocking traffic
• Isolating all or parts of the compromised
Step 3: Record the details
The information security team should keep a written log of what actions were taken to respond
to the breach. The information that should be collected include:
• Affected systems
• Compromised accounts
• Disrupted services
• Data and network affected by the incident
• Amount and type of damage done to the
• Logs from servers, database servers, and workstations
Step 4: Engage law enforcement
A major breach should always be reported to law enforcement. The law enforcement agencies that should be contacted are:
• The Federal Bureau of Investigation (FBI)
• The U.S. Secret Service (USSS)
• The U.S. Immigration and Customs
• The District Attorney
• State and Local law enforcement
Step 5: Notify those affected
If a breach puts an individual’s information at risk, they need to be notified. This quick response can help them to take immediate steps to protect themselves. However, if law enforcement is
involved, they should direct the company as to whether or not the notification should be
delayed to make sure that the investigation is not compromised. The individuals are usually notified via letter, phone, email, or in person. To avoid further unauthorized disclosure, the notification should not include unnecessary personal information.
Step 6: Learn from the breach
• Document all mistakes
• Assess how the mistakes could have been avoided
• Ensure training programs incorporate lessons learnt
Step 7: If Amazon MWS data is involved
• Inform Amazon within 24 hours via email to firstname.lastname@example.org.
• Make collected incident information available to Amazon upon request.
• Do not notify any regulatory authority, nor any customer, on behalf of Amazon unless Amazon specifically requests in writing that the we do so.
• Amazon reserves the right to review and approve the form and content of any notification before it is provided to any party,
• We must inform Amazon within 24 hours when Amazon data is being sought in response to a legal process or by law enforcement.