Inside a Breach

Key Takeaways from the June STN Cyber Forum 2025

What really happens behind the scenes when a data breach hits? That was the question tackled at our recent GNGB Forum — a thought-provoking discussion that encouraged deep thinking around how we prepare for and manage data breaches. 

The panel featured Lisa Kozaris, Isabelle Guyot and Valeska Bloch from Allens. Together, they unpacked the chaos, pressure, and hard decisions involved in assessing compromised data following a breach — and the things organisations can do now to be better prepared when it inevitably happens. 

This summary is for everyone: whether you were in the room or catching up afterwards, here are the biggest lessons from the session. 

There’s No One-Size-Fits-All approach to compromised data assessments

One of the strongest themes to emerge from the forum was this: no two breaches are ever the same. Every organisation is different. Every breach is different. What worked in one situation might not work in another. 

The speakers all stressed the importance of adaptability. While it’s essential to have a plan and know your process, that plan can’t be rigid. When the unexpected happens, flexibility becomes just as important as preparation. This means cross-functional communication, clearly defined roles, and trust between legal, forensics, IT, and communications teams are critical to mounting an effective response. 

Time, Accuracy, Cost — Pick Two? 

Responding to a data breach is a balancing act. Ideally, we all want to understand the scope and impact of the data breach quickly, get the facts right, and keep costs low. But in reality, there are trade-offs. Do you want it fast, or do you want it thorough? Do you need to undertake a comprehensive assessment, or do you need to move quickly? Or do you need to adopt a hybrid approach to meet regulatory or customer expectations? 

The panel discussed how the best responses are about making informed trade-offs. That means knowing your organisation’s risk appetite, understanding what’s legally required (and what’s not), and being clear-eyed about the downstream consequences of your choices. It’s not about perfection — it’s about making the best possible decisions in a high-pressure environment. 

Unstructured Data: The Operational Nightmare 

One particularly eye-opening insight came from David Batch, who reminded us that 80 to 90% of the world’s data is unstructured. That includes things like emails, chat messages, scanned documents, PDFs — the messy, complex data we all deal with every day. 

This becomes a real operational headache when you’re assessing what was impacted in a breach. Structured data (like databases) can be searched and analysed with some speed. But unstructured data? That’s where things slow down — and where mistakes can creep in. 

It’s also where planning makes a huge difference. If you already know what kind of unstructured data you hold, where it lives, and how it’s protected (or not), you’re in a much better position to act fast and decisively when something goes wrong. 

You Can’t Over-Prepare (But You Can Under-Prepare) 

Every speaker echoed the importance of planning ahead. That includes doing risk assessments, mapping your data, developing a compromised data assessment methodology, knowing who does what in a crisis, and stress-testing your incident response plans. 

Even more importantly, organisations need to understand that breach response isn’t just an IT problem. Legal, communications, governance, and privacy all play a role — and they need to be part of the preparation, not just called in when something goes wrong. 

The panel also shared some real-world stories (minus the names) that brought the advice to life. From the panic of discovering a breach late on a Friday, to the quiet confidence of an organisation that had rehearsed their response and hit the ground running — the message was clear: preparation pays off. 

A Step-by-Step Look at Breach Response 

Allens has developed a step-by-step guide to assessing compromised data after a cyber incident. For a detailed overview of the steps, you can read the full guide here.  

The takeaways are:

• Set expectations amongst key decision makers and stakeholders regarding the timing, cost and possible regulatory implications associated with compromised data assessments.
• Manage your digital footprint and maintain a robust data retention and deletion program to minimise your exposure and ensure you can identify and locate data quickly. The less you hold unnecessarily, the easier it is to manage risk.
• Identify your data experts. This isn’t a standard discovery exercise. You need experts that understand the outcome you’re trying to achieve (e.g. regulatory or contractual notifications) and can help you leverage specialist tools designed for data compromises to automate elements of triage and review.
• Develop your data assessment methodology in advance.  Identify the types of data that may be involved — protected, personal, commercial — and the steps and decisions required for each. Then adapt it during the incident and document key decisions in a decision log to reduce the cognitive load in the moment. Ensure you have up-to-date contact information for individuals, in case notifications are required. 
• Understand the practical challenges. Consider how to triage and review unstructured data, foreign language content, video/audio files, and scanned documents. Decide what to exclude from review and how to handle encryption. Understand the limits of automation — algorithms can help, but human judgment is still critical.
• Know your notification strategy (Who, How and When). Notification is one of the most sensitive and difficult parts of the breach response. The forum highlighted several tricky questions: Who is responsible for contacting affected individuals? What do you do when you don’t have direct relationships with them? What happens when the data owner is a third party? Should you publish a statement? If so, where, and when? 

It was clear that many organisations are still grappling with these issues. The consensus? Work through them before an incident — not during. 

Final Reflections 

A few standout lessons emerged from the session: 

• Preparation and adaptability go hand-in-hand. Have a framework, but don’t assume it’ll survive first contact. 

• Unstructured data is the biggest challenge. It’s everywhere, it’s messy, and it will slow you down unless you’ve mapped it in advance. 

• Trade-offs are inevitable. Whether it’s time, accuracy or cost — you can’t have all three. Make sure leadership understands that. 

• Don’t forget the humans. Both in your team (who are working under pressure) and in your impacted community. How you treat people matters — especially in how you communicate after the fact.