Step 4, Communication: Notify relevant stakeholders in finance, procurement, and HR teams with PayPal exposure of the confirmed breach; instruct employees to review personal PayPal accounts independently and report suspicious activity; document notification actions for regulatory recordkeeping.
Containment
NIST 800-61r3 §3.3 (Containment strategy and notification)
NIST 800-53 IR-4 (Incident handling)
NIST 800-53 IR-6 (Incident reporting)
CIS 2.2 (Ensure proper user access management)
Compensating Control
Draft tiered notification using email: (1) Finance/Procurement leads (2026-02-XX, 10 AM): direct breach summary, internal account inventory results, remediation status, and escalation contact. (2) All employees with PayPal linkage (same day, 2 PM): breach summary, reset instructions, MFA guidance, and link to PayPal's official breach notification FAQ. Use templated incident communication to ensure legal/compliance review before send. Log all recipient addresses, send timestamps, and read/acknowledge receipts (request explicit acknowledgment reply). Maintain a signed distribution list and encryption/TLS verification for each batch send. Create a ticketed inbox for employee reports of suspicious activity; track response SLA (2-hour first response, 24-hour investigation completion).
Preserve Evidence
Preserve email headers (SMTP envelope, Message-ID, X-Originating-IP) for all breach notifications sent. Archive notification template (approved version with date/time of legal review sign-off). Document employee acknowledgments in an auditable log (timestamp, employee ID, read status, reply confirmation). If employees report suspicious activity, create separate incident records with detailed timeline: date/time reported, description of activity, employee verification steps, and investigation conclusion. Maintain chain of custody for all reported fraud evidence (screenshots, transaction dispute forms, chargeback notifications).
