Step 4, Communication: If a similar condition is identified in your environment, activate breach notification procedures under applicable regulation (UK GDPR Article 33/34, FCA SYSC obligations, or equivalent jurisdiction); document scope and timeline.
Containment
NIST 800-61r3 §3.3 (containment, eradication, and recovery phases)
NIST 800-53 IR-1 (Incident Response Policy and Procedures)
NIST 800-53 IR-4 (Incident Handling)
CIS Controls v8 17.1 (Designate Personnel to Fulfill Cybersecurity Roles)
Compensating Control
Without incident management platform: (1) Create a breach notification checklist document (notification_checklist.md) listing: date/time of discovery, data types affected (transaction details, account balances, customer names), number of customers impacted, systems involved, preliminary root cause, containment status. (2) Establish a communication log (breach_communication_log.csv) with columns: timestamp, recipient (regulator, customer, legal, PR), method (email, phone, formal letter), message summary, acknowledgment status. (3) For UK GDPR Article 33: draft a formal notification to ICO (Information Commissioner's Office) within 72 hours of discovery, including incident type (cross-account data exposure), date range affected, estimated customer count, and mitigation steps. Use template from ICO website. (4) For FCA SYSC 3.1R: prepare breach notification to FCA as Significant Incident (SYSC 14.1.4R) if >100 customers affected or >£1M estimated impact. (5) Customer notification: generate letter template stating: what data was exposed, who was affected, what the bank did to stop it, what customers should do. (6) Document timeline: create incident_timeline.txt with format: YYYY-MM-DD HH:MM:SS | Action | Owner | Status. (7) Preserve all communications as evidence (tar -czf breach_notifications_$(date +%s).tar.gz customer_letters/ regulator_notices/ internal_comms/).
Preserve Evidence
Capture BEFORE notification (these become regulatory evidence): (1) Forensic analysis from Steps 1–3 (git history, logs, code audit results). (2) Customer/account dataset showing which accounts were exposed to cross-account data (e.g., customer_exposure.csv: customer_id, date_exposed, data_type, duration_exposed_minutes). (3) Root cause analysis document with timeline and technical detail. (4) All system change logs, deployment records, and configuration snapshots from 14 days before incident. (5) Incident discovery documentation: screenshots, emails, or support tickets showing how the condition was first detected. (6) Containment actions taken and timeline (service restart, config rollback, account suspension, etc.). (7) Impact assessment: confirmed list of affected customers, data categories, and regulatory jurisdiction for each.
