MyODDA
ODDA Logo
Return

Toro Solutions – Responding to a breach: what organisations usually get wrong

17 March 2026 // Written by Ashleigh Bishop

For the ODDA by Toro Solutions

For most organisations, a data breach is still treated as an exceptional event. Something serious, but unlikely. However, the reality is that any business that holds personal data at scale will eventually have to manage an incident, whether it is emailing sensitive data to the wrong recipient, credential compromise, third-party exposure, misconfiguration, targeted intrusion or something else.

For online dating and discovery platforms, the impact is unlikely to result in just a technical clean-up. The data they hold is highly personal and user confidence is fragile. That changes the pressure profile for the industry as you are dealing with containment and investigation while users, partners, regulators and the press are already forming views.

The uncomfortable truth is that many organisations do not struggle because they lack tools. They struggle because they have never had to make high-impact decisions with incomplete information and external scrutiny at the same time.

The first hours are usually the most damaging

Most breaches do not escalate because of advanced attack techniques, they escalate because action is slow, fragmented or overly cautious.

Teams wait for certainty before isolating systems, commercial leaders are worrying about downtime, communications wants a complete narrative before saying anything and while all this commotion is happening, attackers can still be active.

In many cases by the time agreement is reached, containment is much harder and the blast radius is larger. In many incidents, if responded to efficiently and calmly the technical problem is manageable. It’s often the organisational hesitation that turns it into something else.

Incident response breaks down along internal boundaries

We often find that during live incidents, organisations revert to the organisational structure and they sit within their swim lane.

Security teams focus on indicators and logs, IT focuses on service availability, legal focuses on liability and disclosure, communications focuses on reputation and senior leadership focuses on business impact.

All of those perspectives matter, but the response needs to be aligned, and teams need to work together. Communication is key. The problem is that an incident often unfolds in a disjointed way. Without pre-agreed decision rights, response becomes a negotiation and that is when critical actions are delayed while teams lack clarity about risk, responsibility and consequence.

Effective response depends on governance. Someone needs the authority to take disruptive action early, with the expectation that detail will follow.

Root cause can wait, containment cannot

One of the most common mistakes is prioritising investigation over stopping further exposure.

Organisations want to understand exactly how access was gained before taking significant action. That instinct is understandable but it is also dangerous as it can lead to days of analysis while access persists.

Many modern breaches involve compromised credentials, misused third-party access, or misconfigured platforms. These often look mundane on paper, but they can be embedded across multiple systems. The priority is to reduce exposure first, and then root cause analysis should follow.

Third parties are where response usually gets messy

A growing number of incidents involve contractors, suppliers, shared tooling, or managed platforms. This is where response often slows down further.

Access rights are unclear, data ownership is ambiguous and contracts are then often reviewed in real time. Whilst the responsibility is being debated the risk of the breach getting worse grows significantly.

During an incident, organisations often either discover they cannot answer basic questions quickly or if they can it’s unclear on who can answer them:

  • Which systems can this supplier access today?
  • What data do they process or store?
  • How quickly can we revoke access?
  • Who has authority to instruct them during a breach?

These are governance gaps.

They also explain why third-party incidents so often trigger regulatory attention, even when the original compromise is limited.

Communication should be a key part of response, not a separate workstream

Many organisations treat communication as something that happens after containment but in reality, communication is happening whether you choose to participate or not.

Users talk.

Staff talk.

Partners talk.

Media speculate.

Silence creates narratives, and those narratives are rarely helpful.

Well-handled incidents tend to involve early, controlled communication that avoids over-claiming, sets expectations, and confirms what users should do next. Poorly handled incidents either say nothing for too long or make definitive statements that later need correction.

Internally, communication matters just as much. Response teams under sustained pressure make mistakes when leadership is absent, priorities change daily or decisions are constantly revisited.

Exercises expose the real issues

In our experience, Tabletop exercises rarely fail because of technical gaps. One of the most common reasons they fail is because nobody is certain who is allowed to make which decisions.

Who can take systems offline?  Who contacts regulators?  Who speaks externally?  Who authorises external support?  Who signs off user notifications?

Many organisations only answer these questions properly in the middle of a live incident, when time is scarce and stakes are high.

Exercises are valuable when they test authority, escalation, coordination and decision-making under pressure.

The aftermath is where most improvement is lost

Once a breach is contained, there is usually a strong desire to move on as service begins to recover, headlines fade and teams return to day jobs but post incident reviews are critical.

Post-incident work shouldn’t just focus on the technical remediations, it needs to address everything. How decisions were made, where authority was unclear, why escalation was slow and what information was missing when it mattered. Those are the same issues that will surface again in the next incident if they are left unaddressed.

What good looks like

A breach response that holds together under pressure usually has a few characteristics in common:

  • Clear authority for containment actions
  • A small, empowered incident leadership group
  • Defined thresholds for regulator and user engagement
  • Strong third-party access and contact controls
  • A communications plan that can operate with uncertainty
  • Practised handovers between technical response, legal, and public messaging

None of this prevents incidents but it does however, limit how far they spread and how long they last, and it reduces the number of decisions that have to be invented in the moment.

Visit https://www.torosolutions.co.uk/for more advice and information about Cyber Security.

Article Tags

  • "ODDA"
  • fraud prevention
  • online safety
  • regulation
  • trust & safety

More

Opale.io
Swept Dating Logo