IR Hotline Numbers:

+44 20 3318 1470
+60 154 877 0076
+61 2 7908 1745
+65 3165 8788
caution icon

Experienced a breach? Reach us now

company logo
banner image

PII Breach Response

You have some explaining to do

When you've had a security breach that includes Personally Identifiable Information (PII), regulators around the world are becoming very clear: you have to notify the people whose data you've lost, and you have to put protection in place to make sure it doesn't happen again. From General Data Protection Regulation (GDPR) in Europe, Data Protection Act (DPA) in the UK, the Personal Data Protection Act(s) in Singapore, to the variety of Privacy Legislation administered by the Office of the Australian Information Commissioner (OAIC) in Australia, regulators repeat the same requirements, and enforce them with fines and punitive action if you fail to comply

Our incident response work has shown over and over again that attackers know this, and increasingly steal and threaten to expose PII as an effective piece of blackmail. Every new piece of privacy legislation paints another target on your company. Once you're in this situation your options are limited to paying extortionate ransoms to organised crime, or seeing the reputational damage to your firm and the potential fines from regulators when the blackmailers publish.

Your key steps after a PII Breach:

Understand what's been taken

Understand your legal obligations around reporting and notification

Identify every individual in the dataset

Clear communications with your regulators

Establish a clear future plan for recovery and protection

Monitor the dark web for evidence of the sale of your corporate data

Unless your systems and data are exceptionally well managed, you're going to have a hard time identifying what's been taken and who has been affected, and this will put you in a bad negotiating position. If the attackers left servers encrypted behind them, it complicates matter further. The most important thing now is to understand what's happened and minimise the damage to you and to the people whose data you hold.

How Pragma can help

Every situation is different, but we've found some actions have a greater impact than others.

Data recovery and analysis

When even small computers have terabyte hard drives, the size of the compromised dataset can get enormous. Identifying how much of this is PII, and who the individuals affected are, becomes an enormous task. We have specialist tools that can analyse large datasets and pick out the PII, and extract a simple entity database of individuals affected and what data each has lost. Understanding your dataset is key to managing your risk

Regulatory reporting

We have experience reporting to data protection regulators around the world, and we know what they are looking for and what they really don't want to see. We will help you set up a positive dialogue with your regulators, and support it with technical reporting that demonstrates the facts of the case and helps you manage your liabilities

Join the Pragma Community Today



Cyber Advisory

Technology Risk

Compliance, Conduct, and Regulatory Risk

IT Audit


Pragma Logo

Terms & conditions

Privacy Policy