September 6, 2023

Understanding the Costs of Incident Response: Data Mining + Notification

For the fifth post in our series on Understanding the Costs of Incident Response, we look at a critical aspect of incident response that often comes with substantial costs and complexities—data mining & notification. Attackers are adept at maximizing the pain inflicted on victims, making data exfiltration a common component of their attacks.

Beyond in-house recovery efforts, victims who have experienced a data breach need to quickly determine whether third parties might be affected. There may be distinct legal and contractual obligations to employees, beneficiaries, customers, business partners, regulators, and more.

Satisfying these obligations requires a thorough understanding of accessed, damaged, or stolen data. Unfortunately, organizations rarely have the context or pre-existing controls to streamline that impact analysis. Rarer still is an authoritative inventory of affected third parties and their contact information. This is where a data mining exercise become essential.

Data mining helps victims unravel the complex coil of affected data and the third-party obligations that data invokes. Combing through the troves of information that attackers may have stolen – whether structured data in spreadsheets or unstructured content like scanned documents and images – is typically time consuming and resource intensive. While this process can be reduced by high fidelity investigation and negotiation findings, the cost ultimately depends on the structure and volume of impacted data.

Once the affected parties are identified, organizations also need to create a comprehensive notification plan. This often includes formal notification letters, call centers to handle inquiries, and a thoughtful communication strategy. It is important to note that notification is usually required even if a ransom is paid to suppress the release of data. MOXFIVE encourages organizations to engage experienced third-party breach and privacy legal counsel to understand their obligations.

Traditionally, data mining has been a very manual process that demanded large analytical teams to give each document human attention. Now, effort and cost can be dramatically reduced by working with purpose-built AI/ML tools and dedicated teams. On a recent case, MOXFIVE worked with a large medical client to process over 15 TB of data in one week, cutting the notification timeline from six months to just one and overall costs by 50%. This client would not have been able to meet regulatory deadlines without this more modern approach.

Data breached are minefields fraught with nuanced obligations, technical challenges, and hidden financial setbacks. Organizations must not only focus on recovering their systems but also on managing relationships with affected parties, navigating business interruptions, and quantifying losses. This multifaceted challenge underscores the importance of proactive cybersecurity measures, incident response planning, and building a resilient organizational framework that can weather the storm of data breaches and cyber-attacks.

<< Previous Post                      Next Post: Business Interruption

Need help now? Contact us at or on our website and talk to one of our technical advisors.

James Gimbi

James Gimbi brings over ten years of breach response, cybersecurity strategy, and public interest technology experience to MOXFIVE. He investigated state sponsored and criminal cyber attacks across defense, finance, healthcare, and government and advanced bipartisan privacy and technology initiatives as a policy advisor in the US Senate. James's blended expertise helps corporate and federal leaders reduce cyber risk and tackle complex threats.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine
Our mission is to minimize the business impact of cyber attacks. 


Incident Response

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More