First 24 hours
- Identify which accounts and data elements were exposed.
- Reset reused passwords and enforce MFA on the most sensitive accounts.
- Capture evidence: breach notice, incident date, affected service and support case IDs.
- Monitor bank, payment and mailbox activity for suspicious actions.