We just discovered a data breach — what do we legally have to do?

Yesterday we discovered someone accessed our database through a misconfigured S3 bucket. We have about 15,000 users, mostly US but some EU. The exposed data includes emails, hashed passwords, and for some users, shipping addresses.

We've locked down the bucket but have no idea how long it was exposed. Could be weeks. What do we legally have to do now? Do we need lawyers immediately?

Yes, get a lawyer now. Data breach response has strict timelines and wrong steps can increase liability.

That said, here's the general framework:

1. Preserve evidence. Document what you found, when, how. Preserve logs. Don't overwrite anything. Your forensic timeline will matter.

2. Assess what was exposed. Emails + hashed passwords + addresses is concerning but not worst-case. Were there SSNs, financial info, health data?

3. Determine notification obligations. This depends on:

• What data was exposed
• Where your users are located
• Your industry (are you subject to HIPAA, GLBA, etc.?)

No SSNs or financial info. We're a consumer SaaS, not healthcare or finance. Users are about 80% US, 15% EU, 5% other.

How fast do we need to notify? I've seen "72 hours" mentioned but that seems impossible.

The 72-hour rule is GDPR Article 33 — notification to supervisory authority within 72 hours of becoming "aware" of a breach. That applies to your EU users. You'll need to identify which EU member states your users are in and notify the relevant data protection authorities.

For US users, every state has its own breach notification law. The good news: emails + hashed passwords + addresses may not trigger notification in all states. Many state laws define "personal information" to require SSN, financial account numbers, or government IDs.

California is broader — Cal. Civ. Code 1798.82 includes email + password that "would permit access to an online account." If the passwords are properly hashed (bcrypt, Argon2), there's an argument no real credentials were exposed. But that's a judgment call.

Security consultant here. Important question: do you have evidence the data was actually exfiltrated, or just that it was exposed?

A misconfigured S3 bucket is exposed if it's publicly listable/readable. But if you don't have access logs showing someone downloaded the data, you may be in "potential breach" vs "actual breach" territory. Some state laws distinguish between exposure and acquisition.

Check your CloudTrail logs for the S3 bucket. Look for GetObject or ListBucket calls from outside your org.

@IncidentResponder — checking now. Our CloudTrail was enabled but only for management events, not data events. So we can see when the bucket policy changed but not individual file access. That's... bad, right?

Not great, but common. Without data event logs, you can't prove no one accessed the data, but you also can't prove anyone did. You may want to check S3 server access logs if those were enabled (separate from CloudTrail).

Also check: did the bucket have public listing enabled, or just public object reads? If listing was off, someone would need to know the exact file paths to access anything. Makes opportunistic discovery less likely.

Practical steps beyond legal:

• Force password resets for all users NOW. If credentials were exposed, this limits damage.
• Prepare a customer communication. Even if not legally required, being proactive builds trust.
• Check if you have cyber insurance. If so, call them immediately — they often have breach response resources included.
• Engage a forensic firm to document what happened. This creates the paper trail you'll need if regulators ask questions.

UPDATE: We have cyber insurance — didn't even think to check. Carrier is sending a breach coach (their term) who will coordinate legal and forensics. They're taking over the response.

Forensics found S3 server access logs were enabled. There's ONE suspicious access from a TOR exit node 3 weeks ago that downloaded the user table. So we have to assume data was exfiltrated.

Forced password reset already done. Working with the breach coach on notification strategy. Looks like we'll need to notify California AG (>500 CA residents affected) and send individual notices to all US users. EU notification to Irish DPC since most EU users seem to be there.

Good that you have insurance. Their breach coach will guide you through the notification letters (specific language is required in most states) and AG notifications. The 72-hour GDPR clock started when you "became aware" — arguably that was yesterday, so you're still in the window.

One more thing: document what security improvements you're making. Regulators and plaintiffs' lawyers will ask "what did you do to prevent this from happening again?" Having a concrete answer helps.