Website or Database Compromise — Quick Reference Guide

First 30 minutes

• Do not restore from backup yet — preserve logs first: web server access logs, database query logs, application error logs, and any security event logs covering the dwell period
• Take the affected system offline if the attacker is actively present — after evidence is preserved
• Identify the vulnerability and entry point: SQL injection form, compromised plugin, stolen admin credential, unpatched software
• Change all admin panel passwords and database credentials immediately — the attacker may have captured credentials stored on the server
• Designate an incident lead — all technical findings and communications route through them
• Record the exact date and time the breach was discovered — this starts your response clock

---

Within 24 hours

• Determine the dwell period: earliest evidence of exploitation in logs, or the date the vulnerability was introduced or publicly disclosed if logs do not show the start
• Map what the attacker could reach from the entry point: which database tables, which file directories, what credentials were stored in config files
• Identify what personal information was in the accessible tables: customer contact data, payment records, hashed or plaintext credentials, SINs, health information, transaction history
• Determine how many individuals are affected and which provinces they are in — this determines whether AB PIPA and BC PIPA apply
• Check for indicators of confirmed exfiltration: large outbound data transfers in logs, database dump files created by the attacker, dark web alerts, customer fraud reports
• Rotate all credentials that may have been accessible: database passwords, API keys, third-party service credentials stored in config or environment files
• Begin your ClearBreach assessment — do not wait for full forensics to start

---

Within 72 hours

• Complete your RROSH assessment in ClearBreach and review your verdict
• If PIPEDA RROSH threshold is met: file OPC Breach Report as soon as feasible — supplement with additional findings as investigation continues
• If Alberta PIPA applies and RROSH is met: notify OIPC Alberta (breachnotice@oipc.ab.ca) and affected individuals simultaneously
• If BC PIPA applies and RROSH is met: notify the OIPC BC through their official breach notification process and notify affected BC residents directly
• Send individual notifications: describe what happened in plain language, what information was involved, what the organization is doing, and what individuals can do — for credential exposure, advise password changes on your site and any other site where the same password was used; for payment card exposure, advise immediate contact with their card issuer
• Patch the exploited vulnerability — after evidence preservation and assessment are under way

---

Ongoing — until resolution

• Supplement your OPC and provincial breach reports as forensic findings develop — if material new information changes the scope or RROSH assessment, update regulators and notify individuals who were not previously notified
• Monitor for data misuse: credential stuffing alerts, phishing campaigns using your customer data, fraud reports from affected individuals
• Retain all records — logs, forensic reports, internal assessment records, notifications sent — for 24 months minimum from date of discovery
• Conduct a full security review: vulnerability scan across all web properties, review plugin and dependency versions, enable web application firewall, implement database query logging going forward
• If a card-skimming script was involved: notify your payment processor and card brands immediately — PCI-DSS obligations run in parallel with your PIPEDA and PIPA obligations

---

Alberta PIPA — specific steps

• Notify the OIPC Alberta and affected individuals simultaneously — simultaneous filing triggers the streamlined review process
• Complete the official OIPC Alberta Notification Form — do not substitute an informal letter
• Attach the AB PIPA Individual Notice (s.19.1) to your OIPC Alberta submission (Section D)
• Submit by email to breachnotice@oipc.ab.ca

---

BC PIPA — specific steps

• BC PIPA applies if any affected individuals are BC residents — applies regardless of where your organization is based
• OIPC BC voluntary reporting is available even if RROSH is not present — for compromises where exfiltration cannot be confirmed but the attacker had database access, voluntary reporting demonstrates good faith
• If RROSH is present: notify the OIPC BC through their official breach notification process at oipc.bc.ca and notify affected BC residents directly
• Do not substitute a general public notice for direct individual notification

---

Dwell period — if logs are incomplete

Situation	Use as dwell start
First malicious query visible in logs	That log timestamp
Logs exist but earliest exploitation not visible	Date the vulnerability was publicly disclosed for your software version
No logs available for the affected period	Date the vulnerable software or plugin was installed or last updated
Plugin or CMS version unknown	Date of last confirmed secure state (last update or security scan)

Always use the most conservative (earliest) estimate — do not anchor on the discovery date.

---

MSPs — if managing this for a client

• Notify the client immediately with full technical details: entry point, dwell period, database scope, remediation taken — the client's response clock starts when you inform them
• The client organization is the accountable party under PIPEDA and PIPA for their individuals' personal information; your role is to provide the facts that enable their RROSH assessment
• If your own managed infrastructure was the entry point affecting multiple clients, each affected client requires a separate notification and a separate ClearBreach assessment
• Run each client's assessment under your MSP account and keep all records separate