Reaction Guide to a Cyberattack or Data Leak

Critical steps to contain the threat, preserve evidence and notify authorities.

The first actions in the event of a cyberattack

In the event of discovery of a computer hack (Ransomware, unauthorized access, website disfigurement), responsiveness is essential to limit the damage. Here are the first containment actions:

  • Disconnect compromised equipment: Disconnect the network connection (Wi-Fi, Ethernet cable) of the affected computers, but don't turn them off to preserve evidence in RAM.
  • Isolate the information system: If the attack is global, disconnect your servers from the outside Internet network.
  • Never pay the ransom: In the event of ransomware, paying does not guarantee data recovery and funds criminal networks.

Incident response process

Step 1: Alert and mobilization

Inform your IT support or service provider (outsourcing) immediately. Form a crisis unit involving management, the IT department, the legal department and communications.

Step 2: Preserving Evidence

Before any return to production or backup restoration, it is crucial to keep logs (connection logs) and physical copies of the impacted systems. These elements will be essential for the filing of a complaint and the investigations of legal experts.

Step 3: Notification of authorities (GDPR)

If the cyberattack has compromised personal data (leak, theft, long-term inaccessibility), you have a legal obligation to notify the CNIL within a maximum period of 72 hours (article 33 of the GDPR). If the breach poses a high risk to people (theft of passwords, banking data, health data), you must also inform them individually.

File a complaint

Filing a complaint is essential to identify the authors and assert your rights, particularly with your cyber insurance. Go to a police station or gendarmerie brigade, preferably equipped with technical information (incident report, logs).

Be accompanied

ANRDI recommends that you use service providers referenced by the government system Cybermalveillance.gouv.fr ("Cyber Expert" service providers) or certified by ANSSI (PRIS) to assist you in the remediation and secure reconstruction of your information system.