In response to a data breach, what is the first action you should take?

• A. Contain the breach.
• B. Assess scope.
• C. Notify affected parties.
• D. Document and remediate security controls.

Answer: (A)

The priority in a data breach is to contain the breach. Stopping the attacker’s access right away minimizes ongoing data exposure, prevents the breach from spreading to additional systems, and helps preserve evidence for later analysis. Containment actions might include isolating affected machines, revoking compromised credentials, or tightening network controls to block continued access. Once the breach is contained, you can properly assess the scope and impact, determine what data was accessed, and then proceed with notifying affected parties and remediating security controls. Trying to assess scope or notify before containment risks more data loss and a more complex investigation, which is why containment comes first.