What do I do after a data breach at my startup?
In the first hour: confirm the breach, contain it (rotate keys, pull affected services), document. In the first day: notify affected users and consult legal counsel. In the first week: publish a postmortem.
The realistic solo-founder response playbook:
**Hour 0-1: contain** - Confirm the breach is real + ongoing - Rotate all credentials the attacker may have accessed - Pull the affected service offline if ongoing exploitation - Start a timeline document (every action, every timestamp)
**Hour 1-24: notify + consult** - Email your startup lawyer (any generalist lawyer can triage) - Draft a user notification — honest, specific, no PR spin
**Day 1-7: communicate + fix** - Publish the user notification - Respond to every support request individually - Fix the root cause + document the fix publicly (builds trust) - Coordinate with security researcher if one disclosed it
**Week 1+: postmortem** - Publish a full timeline, root cause, what you changed - Submit to regulators if required - Your transparency is a trust signal; attempts to hide are a second breach
This is why having Securie installed pre-breach matters: you'll have the evidence chain showing what you knew and when.