Data Breach Response

Data breach response procedures: 72-hour GDPR notification, CNIL contact, and communication templates

Overview

Under GDPR Article 33, SanMarcSoft must notify the supervisory authority (CNIL, since infrastructure is in France) within 72 hours of becoming aware of a personal data breach. If the breach poses a high risk to individuals, affected data subjects must also be notified (Article 34).

Incident Classification

Severity Levels

LevelDescriptionNotification Required
CriticalPersonal data exposed to unauthorized partiesCNIL + affected users
HighSystem compromise with potential data accessCNIL + assess user notification
MediumUnauthorized access attempt, no data confirmed exposedInternal log, assess CNIL notification
LowConfiguration error, no data exposureInternal log only

Immediate Response (Hour 0-4)

Step 1: Contain the Breach

  1. Identify the affected system(s)
  2. Isolate compromised services:
    1
2
3
4
5
6
7

    # Disable a Scaleway container
scw container container update <container-id> --min-scale 0 --max-scale 0

# Disable a Cloudflare Worker route
curl -s -X DELETE \
  "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/workers/routes/${ROUTE_ID}" \
  -H "Authorization: Bearer $(pass cloudflare/api-token)"
  3. Rotate compromised credentials immediately (see Secret Rotation SOP)
  4. Preserve evidence – do not delete logs

Step 2: Assess the Breach

Document:

  • What data was exposed (types, volume)
  • How the breach occurred
  • When it started and when it was detected
  • Number of affected data subjects
  • Geographic scope

CNIL Notification (Within 72 Hours)

CNIL Contact Information

Notification Content (Article 33)

The notification must include:

  1. Nature of the breach: Description of what happened
  2. Categories and approximate number of data subjects affected
  3. Categories and approximate number of personal data records affected
  4. DPO contact: Name and contact details of the data protection officer (or point of contact)
  5. Likely consequences: Description of the likely consequences of the breach
  6. Measures taken: Description of measures taken or proposed to address the breach

Notification Template

PERSONAL DATA BREACH NOTIFICATION

Date of notification: [DATE]
Date breach detected: [DATE]
Date breach occurred: [DATE] (if known)

Organization: SanMarcSoft
Contact: [DPO Name and Email]

1. NATURE OF THE BREACH
[Description of what happened, which systems were affected]

2. DATA SUBJECTS AFFECTED
Approximate number: [NUMBER]
Categories: [Users of verifieddit.com / Phenom Drop submitters / etc.]
Geographic scope: [EU / Global]

3. DATA CATEGORIES AFFECTED
- Email addresses: [YES/NO]
- Names: [YES/NO]
- Media files: [YES/NO]
- Authentication tokens: [YES/NO]
- Financial data: [YES/NO]

4. LIKELY CONSEQUENCES
[Assessment of risk to data subjects]

5. MEASURES TAKEN
Immediate:
- [Credential rotation]
- [Service isolation]
- [Evidence preservation]

Planned:
- [Root cause analysis]
- [Security improvements]
- [User notification if required]

Data Subject Notification (If High Risk)

When Required

Notify data subjects when the breach is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 34).

Notification Template (Email)

Subject: Important Security Notification from [Service Name]

Dear [User],

We are writing to inform you of a security incident that may have affected your personal data.

WHAT HAPPENED
[Clear description of the breach]

WHAT DATA WAS AFFECTED
[List of affected data types]

WHAT WE ARE DOING
[Actions taken to address the breach]

WHAT YOU CAN DO
- Change your password at [URL]
- Monitor your account for unauthorized activity
- [Any other recommended actions]

If you have questions, contact us at [email].

Sincerely,
SanMarcSoft

Post-Incident (Day 3-30)

Root Cause Analysis

  1. Conduct thorough investigation
  2. Document the root cause
  3. Identify security improvements
  4. Update this runbook with lessons learned

Security Improvements

  • Patch the vulnerability
  • Update access controls
  • Review and rotate all potentially affected credentials
  • Implement additional monitoring
  • Update incident response procedures

Follow-up with CNIL

If additional information becomes available after the initial 72-hour notification, submit supplementary notifications to CNIL.

Breach Scenarios and Response

Scenario: Cloudflare API Token Compromised

  1. Immediately revoke the token in Cloudflare Dashboard
  2. Generate new token
  3. Update pass store
  4. Audit DNS and Worker changes for unauthorized modifications
  5. Assess if any user data was accessed via D1 or KV

Scenario: Scaleway Registry Credentials Compromised

  1. Rotate API key in Scaleway Console
  2. Update pass store and Pulumi config
  3. Check for unauthorized image pushes
  4. Redeploy all containers with verified images

Scenario: Clerk Secret Key Compromised

  1. Rotate keys in Clerk Dashboard
  2. Update all consumers (Worker, Stripe backend, Pulumi)
  3. Audit Clerk admin actions for unauthorized user creation/deletion
  4. Notify affected users if unauthorized access occurred

Scenario: Database (D1) Exposed

  1. Assess what data was accessed
  2. If personal data: trigger CNIL notification
  3. Rotate Cloudflare API token (D1 is accessed via API)
  4. Notify affected users
  5. Consider database migration (create new database, import clean data)

Troubleshooting

  • Cannot reach CNIL: Use the online form at https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles as the primary method.
  • Unsure if CNIL notification is required: When in doubt, notify. Under-notification carries higher penalties than over-notification.
  • Multiple breaches: Each breach requires a separate notification unless they are clearly related.