(416) 512-1208Free IT Assessment

Home / Cybersecurity / Incident Response

โš ๏ธ Active Incident? Start here.

I've been hacked. What do I do?

Stay calm. Pick the scenario that matches what happened. Follow the steps in order. Call the Canadian Anti-Fraud Centre first if money moved.

Call CAFC: 1-888-495-8501Call Cyber Centre: 1-833-CYBER-1Call Com Computer: (416) 512-1208
5 scenarios

Pick the runbook that matches your situation

Each scenario has step-by-step instructions, Canadian contacts, and what to do in the first hour.

๐Ÿ”’

01. Ransomware

Files encrypted, ransom note on screen, business at a standstill.

Step-by-step

  1. 1Isolate affected systems from the network immediately. Pull the network cable or disable Wi-Fi on infected devices. Do NOT power them off โ€” preserve volatile evidence.
  2. 2Stop the spread. Disable shared drives, pause backups (you don't want to overwrite clean ones), and reset credentials for admin accounts.
  3. 3Call the Canadian Centre for Cyber Security (1-833-CYBER-1) for free technical guidance, even before involving law enforcement.
  4. 4If money was demanded: call the Canadian Anti-Fraud Centre (1-888-495-8501). They coordinate with the RCMP and track ransom payments.
  5. 5Engage a professional IR firm (we can coordinate) to determine the variant, scope of compromise, and whether decryption is feasible.
  6. 6Check your backups BEFORE considering payment. If you have clean, immutable, offsite backups โ€” restore from those.
  7. 7Assume the attacker had access for weeks. Reset ALL credentials (not just affected ones). Audit MFA, VPN keys, and service accounts.
  8. 8After containment: PIPEDA breach assessment within 72 hours, cyber insurance claim, post-incident report.
๐Ÿ“ง

02. Business Email Compromise

An attacker impersonated an executive or vendor and convinced finance to send a wire transfer.

Step-by-step

  1. 1Call your bank IMMEDIATELY. If the wire hasn't been picked up, it can sometimes be recalled. Time is critical โ€” minutes matter.
  2. 2Report to CAFC (1-888-495-8501). They coordinate with Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).
  3. 3Preserve the email. Do not delete. Forward as .eml attachment to your IT team and to CAFC.
  4. 4Reset credentials for the compromised mailbox. Enable MFA if not already. Review mail forwarding rules and OAuth grants.
  5. 5Audit other recent transactions. BEC attackers often test with small amounts first, then escalate.
  6. 6File a police report โ€” required for most cyber insurance claims.
  7. 7Notify your cyber insurance carrier (if applicable) within the time specified in your policy โ€” usually 24-72 hours.
๐Ÿ—ƒ๏ธ

03. Data Breach

Customer or employee personal information was accessed, lost, or stolen.

Step-by-step

  1. 1Contain the breach. Stop the leak, revoke access, take affected systems offline as needed.
  2. 2Determine what was accessed and whose data was involved. You need to know: name, contact, what type of data, sensitivity.
  3. 3Run the PIPEDA RROSH test. Real Risk of Significant Harm โ€” if yes, you have 72 hours to report to the OPC after determining RROSH.
  4. 4Preserve evidence. Logs, screenshots, timelines. Don't clean up until investigators have what they need.
  5. 5Notify affected individuals. PIPEDA requires direct notification; Law 25 in Quebec has additional rules.
  6. 6Document everything. The OPC will want to see your assessment, your containment actions, and your remediation plan.
  7. 7Engage legal counsel. Privacy law is complex, and provincial rules (especially Quebec Law 25) may add requirements.
๐ŸŽญ

04. AI Deepfake Call

An AI-cloned voice or video of an executive, supplier, or known contact requested sensitive action (wire transfer, password reset, MFA addition).

Step-by-step

  1. 1STOP. Do not act on the request, no matter how urgent or convincing it sounds.
  2. 2Hang up. Call the person back on a phone number you already have on file โ€” not one the caller provided.
  3. 3If a wire was already sent: call your bank immediately, then CAFC (1-888-495-8501).
  4. 4If credentials were changed: trigger your account-recovery process and engage IT to lock the account.
  5. 5Report to CAFC with the recording (if available) and the callback number you would have used.
  6. 6Brief the rest of the team. The same attacker will likely target others in your org within hours.
  7. 7Update your verification procedures. Add a safe-word pattern for sensitive requests, and make callback verification mandatory in your finance policy.
๐Ÿ“ค

05. Shadow AI Data Leak

An employee pasted customer PII, source code, or confidential data into ChatGPT, Claude, Gemini, Copilot, or another AI tool.

Step-by-step

  1. 1Identify what data was shared. Names, emails, financial data, source code, contracts โ€” the more sensitive, the worse the impact.
  2. 2If personal information was involved: run the PIPEDA RROSH test. Quebec Law 25 may also apply.
  3. 3Request data deletion from the AI vendor. Most have a process: OpenAI, Anthropic, Google all accept deletion requests for enterprise accounts. Public/free accounts may not be deletable.
  4. 4Disable the employee's access to the AI tool. Reset credentials if needed.
  5. 5Disable 'Improve the model' / 'Help train our AI' across all corporate AI accounts to prevent recurrence.
  6. 6Report to OPC within 72 hours if RROSH applies.
  7. 7Implement controls: enterprise AI licences (M365 Copilot, ChatGPT Enterprise) with no-training guarantees, DNS blocking of public AI tools, awareness training.
PIPEDA breach reporting

72 hours. Here's the test.

Under PIPEDA, you must report a breach to the OPC if there is a "real risk of significant harm" (RROSH). You have 72 hours from the moment you determine RROSH applies.

The four RROSH factors

  1. Sensitivity of the personal information โ€” financial, health, SIN, biometrics score higher.
  2. Probability that the information has been, is being, or will be misused โ€” was it encrypted? Was it exfiltrated?
  3. Any other prescribed factor โ€” duration of the breach, whether info is recoverable.
  4. Whether the information is encrypted โ€” properly encrypted data may not meet the threshold.

What to report to the OPC

  • Description of the circumstances of the breach
  • Date / period the breach occurred (or estimate)
  • Description of the personal information involved
  • Number of individuals affected (or estimate)
  • Steps you have taken / plan to take to reduce risk
  • Steps you have taken / plan to take to notify affected individuals
  • Contact person for the OPC to follow up with
OPC breach reporting portal โ†—

In an incident right now?

Call us. We coordinate with the Cyber Centre, CAFC, OPC, and your insurance carrier. We preserve evidence, contain the breach, and restore from backups.

(416) 512-1208