Resposta a Incidentes 24/7 · Vazamento de dados

Company data breach: what to do now and the legal deadlines

O que fazer agora

Act on three fronts at once and do not shut down or format anything blindly. First, contain the source by isolating the compromised system from the network (cut off access, rotate credentials and revoke tokens and sessions), preserving logs and the machines' memory as evidence. Second, measure the scope: which data leaked, how many data subjects and whether there is sensitive or financial personal data. Third, record the exact time you became aware, because the deadline to notify the ANPD and the affected data subjects is 3 business days from that awareness (Resolution CD/ANPD No. 15/2024). To contain an active leak right now, engage Decripte's 24/7 Incident Response through /contato, with a containment SLA of up to 1 hour.

SOC 24x7 e SLA de contenção de até 1 hora. A Decripte é especialista em resposta a incidentes para fintechs, crypto, apps, e-commerces e empresas de todos os tamanhos.

Sinais de alerta

  • Databases or backups appeared on forums, on the dark web or for sale on Telegram channels, or someone reached out demanding a ransom.
  • Abnormal spikes in the export or download of records, mass queries to the database or high outbound traffic outside business hours.
  • Administrative logins from unusual IPs or countries, at atypical times, or accounts with privileges no one recognizes creating.
  • Customers reporting scams, phishing or fraud attempts that use real, specific data that only your company had.
  • Employee or internal system credentials appearing in public leaks and in monitoring tools.
  • Configuration files, API keys or tokens exposed in public repositories, open storage buckets or indexed URLs.
  • DLP, antivirus or WAF alerts firing for anomalous access or movement of personal data.

Primeiros passos — o que fazer agora

  1. 1

    Engage Incident Response and open a war room

    Centralize the crisis in a single channel outside the compromised environment (phone or external chat) with IT, legal/DPO and leadership. Engage Decripte's 24/7 Incident Response through /contato to contain within 1 hour without destroying evidence.

  2. 2

    Contain the source without erasing traces

    Isolate the affected system from the network instead of shutting it down (do not format, do not reinstall), rotate passwords and API keys, revoke sessions and tokens and block the access used by the attacker. To contain is to stop the bleeding, not hide the wound.

  3. 3

    Record the exact time of awareness

    Note the date and time the company learned that the incident affected personal data. It is from this milestone that the 3 business days to notify the ANPD and the data subjects run. This record is proof and sets the pace for all subsequent deadlines.

  4. 4

    Measure the scope of what leaked

    Determine which databases were accessed, how many distinct data subjects and whether there is sensitive data (health, biometrics, racial origin, children's data) or financial data. The scope defines the severity, the obligation to communicate and the content of the notification.

  5. 5

    Preserve the chain of custody

    Make forensic copies (disk and memory images) and export authentication, network and application logs to isolated, read-only storage, with a hash and an identified custodian. Without this, the evidence can be challenged and the root cause is lost.

  6. 6

    Notify the ANPD within 3 business days

    Use the ANPD's electronic form describing the incident, the affected data and data subjects, the risks and the measures taken. Pending information can be supplemented, with justification, within 20 business days. Small-scale agents have the deadline counted double.

  7. 7

    Notify the affected data subjects

    Warn the customers whose data was exposed, in clear language, telling them what leaked, the risks (scams, targeted phishing, SIM swap) and what they should do. Communication to the data subject also follows the 3-business-day deadline from awareness.

  8. 8

    Eradicate, recover and document everything

    Only restore operations after removing the root cause and validating that the improper access was closed. Monitor for recurrence for days and keep a dossier of timeline, decisions and evidence for the ANPD and for the legal defense.

O que NÃO fazer

  • Do not format, reinstall or shut down the compromised server on impulse: that destroys logs and RAM, which are the proof of the root cause and of what the attacker took.
  • Do not wait to have 100% of the information to notify the ANPD: the deadline is 3 business days from awareness, and Resolution CD/ANPD No. 15/2024 allows supplementing the details later, within 20 business days.
  • Do not minimize or hide the incident from customers: omission amplifies the reputational damage and legal risk, and the data subjects need to protect themselves from scams derived from the leak.
  • Do not exchange messages about the incident inside the possibly compromised environment (a hacked email or chat): the attacker may be reading and anticipate your moves.
  • Do not pay a ransom or negotiate with the attacker alone before a technical and legal analysis: paying does not guarantee the deletion of the data, funds the criminal operation and can have legal implications.
  • Do not treat the case as closed when you restore the system: without eradicating the root cause and monitoring, the attacker's re-entry is common in the first days.

First: contain the source without destroying the evidence

Containment is the step that stops the bleeding, and the most common mistake is to confuse containing with erasing. Isolate the affected system from the network instead of shutting it down: taking it off the network cuts off the attacker's access and preserves the volatile memory (RAM), where malicious processes, keys and indicators that vanish on shutdown often reside. In parallel, rotate all credentials that may have been exposed, revoke active tokens and sessions and block the entry path used in the attack.

Think of containment in two layers. Short-term containment stops the ongoing incident (isolate the host, revoke access, block the IP). Long-term containment prepares operations to return safely, applying temporary fixes while the root cause is handled. Deciding between one and the other requires knowing how the attacker got in, which is why containing and investigating go together. For an active leak, Decripte's 24/7 Incident Response contains within 1 hour and leads that decision without burning evidence.

Measure the scope: what leaked, how many data subjects and whether there is sensitive data

Without sizing the scope you cannot decide what to notify or assess the real risk. Map which databases were accessed, the volume of records, how many distinct data subjects are involved and, above all, the nature of the data. Sensitive data (health, biometrics, racial or ethnic origin, religious belief, data of children and adolescents) raises the severity and the duty of care, as do financial data, documents and credentials that enable direct fraud.

This measurement comes from log analysis, database telemetry and reconstructing the attacker's path. This is where forensics delivers concrete value: distinguishing what was actually exfiltrated from what was merely accessed changes the size of the notification and the communication to customers. Decripte leads that investigation and quantifies the impact on data subjects, turning uncertainty into a defensible inventory before the ANPD.

Resposta a Incidentes · 24/7

Cada minuto conta. Comece o diagnóstico gratuito agora e veja o que já vazou.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

Resolution CD/ANPD No. 15/2024 establishes that, when the incident may cause relevant risk or harm to data subjects, the controller must notify the ANPD within 3 business days from knowing that the incident affected personal data. Communication to the affected data subjects follows the same 3-business-day deadline from that awareness. That is why recording the exact time the company learned of the incident is not bureaucracy: it is the milestone that defines all the deadlines.

Communication to the ANPD is made through a dedicated electronic form and must describe the incident, the affected data and categories of data subjects, the risks and the measures adopted. If not all the information is available at the start, the rule allows supplementing it, with justification, within 20 business days. Small-scale agents have the deadline counted double. Communication to the data subject must be clear, indicating the data involved and what the person can do to protect themselves. Documenting the whole process (decisions, evidence and timeline) is part of the accountability duty and the best defense in case of oversight.

Chain of custody, communication and preventing the next incident

The chain of custody is what gives evidentiary value to your investigation. Make forensic images of disk and memory, export logs to an isolated, read-only repository, calculate hashes to ensure integrity and keep a record of who collected what and when. Without that discipline, the root cause becomes speculation and the evidence can be contested, weakening both the notification to the ANPD and any liability of the attacker.

In communication, speak first to those who were affected and with transparency. For the press, have a single, factual message approved by legal, avoiding speculating about causes before the investigation. After recovery comes the phase that prevents the next incident: fixing the root cause, closing the exploited vector and raising continuous monitoring. This is where Decripte's free Threat Management plan helps, monitoring credential exposure, dark web presence and domain reputation with no credit card, so you discover the problem before the attacker. You can start at https://decripte.com.br/intelligence-center.

Obrigações legais (Brasil)

In Brazil, Resolution CD/ANPD No. 15/2024 requires the controller to notify the ANPD within 3 business days from knowing that the incident affected personal data, when there is relevant risk or harm to data subjects, through a dedicated electronic form; pending information can be supplemented, with justification, within 20 business days. Communication to the affected data subjects follows the same 3-business-day deadline from awareness and must be made in clear language. For small-scale agents, the deadlines are counted double. The company must document the entire incident (timeline, decisions, evidence and measures) as part of the accountability duty. When there is payment data and Pix fraud, the Special Return Mechanism (MED) also applies, with a short time window, requiring immediate contact with the bank and the filing of a police report. This content is informational and does not replace specific legal advice for the concrete case. These rules and deadlines (ANPD/LGPD) are Brazilian.

Termos importantes

Data subject
The natural person to whom the processed personal data refers. In a breach, they are the customers, users or employees whose data was exposed and who must be notified.
Sensitive personal data
A special category of data under the LGPD that includes health, biometrics, racial or ethnic origin, religious belief, sexual life and data of children and adolescents. Its leak raises the severity and the duty to communicate.
Chain of custody
The intact, traceable record of each piece of evidence collected (forensic images, logs, hashes), including who collected it and when. It guarantees the proof was not tampered with and supports the investigation and the notification.
Containment
The stage of incident response that stops the attacker's access and limits the damage (isolate the system, revoke credentials, block the entry path) without destroying the evidence needed for the investigation.
Notification to the ANPD
The mandatory communication of the incident to the National Data Protection Authority, through an electronic form, within 3 business days from awareness, when there is relevant risk or harm to data subjects (Resolution CD/ANPD No. 15/2024).
MED (Special Return Mechanism)
A Pix procedure that allows the financial institution to block and attempt to return funds in cases of fraud or operational failure. It has a short time window, requiring immediate contact with the bank.

Perguntas frequentes

Customer data from my company leaked, what do I do first?

Contain the source by isolating the system from the network without shutting it down, rotate credentials and revoke tokens, and record the exact time you learned of the incident. Do not format anything, because the logs and the memory are the proof of what happened. In parallel, engage Decripte's 24/7 Incident Response through /contato to contain within 1 hour and start the forensics.

What is the deadline to notify the ANPD about a data breach?

The deadline is 3 business days from knowing that the incident affected personal data, under Resolution CD/ANPD No. 15/2024, when there is relevant risk or harm to data subjects. The notification is made through the ANPD's electronic form and can be supplemented, with justification, within 20 business days. Small-scale agents have the deadline counted double.

Do I need to notify the customers affected by the breach?

Yes. Communication to the affected data subjects must also occur within 3 business days from awareness that the incident affected personal data, in clear language. Inform which data leaked, the risks (scams, targeted phishing, fraud) and what the person should do to protect themselves, such as changing passwords and enabling two-step verification.

Should I shut down or format the server that was breached?

No. Shutting down erases RAM and formatting destroys the logs, precisely the evidence that shows how the attacker got in and what they took. The right move is to isolate the machine from the network to cut off access while preserving its state, and only then make forensic copies. To contain is not to erase; it is to stop the access while keeping the proof intact.

What if I don't yet know exactly how much data leaked?

You do not need all the information to notify within the deadline. Resolution CD/ANPD No. 15/2024 allows sending the initial communication within 3 business days and supplementing the details, with justification, within 20 business days. What matters is not to blow the initial deadline; the exact scope is refined by the forensic analysis.

What is a chain of custody and why does it matter in a breach?

A chain of custody is the intact, traceable record of the evidence: disk and memory images, exported logs, integrity hashes and who collected each item and when. It matters because it guarantees the proof was not tampered with, which supports the root-cause investigation, the notification to the ANPD and any liability of the attacker. Without it, the investigation loses value.

How does Decripte help during and after a data breach?

Decripte engages 24/7 Incident Response with a containment SLA of up to 1 hour, leads the forensics (preserves evidence, identifies the root cause and measures the scope) and supports the notification to the ANPD and the data subjects. For prevention, the free Threat Management plan monitors credential leaks, the dark web and domain reputation, with no card and no technical team, at https://decripte.com.br/intelligence-center.

The breach involved payment data and Pix, what changes?

Financial data raises the risk of fraud and requires immediate action with the financial institutions. In cases of Pix fraud, there is the Special Return Mechanism (MED), with a short time window, so advise customers to contact the bank immediately and file a police report. On the company's side, the obligations to notify the ANPD and the data subjects within 3 business days still apply.

Incidente em andamento?

Comece agora pelo diagnóstico gratuito — e ative SOC 24/7 e resposta a incidentes nos planos pagos.

Veja em minutos o que já vazou da sua empresa. Quando precisar, a Decripte assume a contenção, a investigação forense e a recuperação do ambiente com SLA de contenção de 1 hora.