Incident Response: When Things Go Wrong

Hope for the Best, Plan for the Worst

No security is perfect. Even with strong passwords, two-factor authentication, and careful browsing, something can still go wrong. Devices get stolen. Data breaches expose your information. Sophisticated scams catch smart people.

By the end of this lesson, you will have a personal incident response plan that tells you exactly what to do when something goes wrong.

Quick Recall: In the previous lesson, we built privacy defenses including browser settings, social media restrictions, and location controls. These reduce risk, but they do not eliminate it. Let us prepare for the incidents that get through.

Why You Need a Plan Before an Incident

When your account gets hacked or your phone is stolen, you will feel panic. Panic is the enemy of good decision-making.

A prepared plan does three things:

1. Removes the need to think under pressure
2. Ensures you take actions in the right order
3. Prevents you from forgetting critical steps

Think of it as a fire escape plan. You figure out the exits before the building is on fire.

Scenario 1: Account Compromise

Someone has accessed your account without permission.

Immediate actions (first 15 minutes):

1. Change the password on the compromised account immediately
2. Enable 2FA if not already active
3. Check for unauthorized changes:
   • Email: Look for forwarding rules (attackers set these to keep receiving your email)
   • Social media: Check for posts you did not make
   • Financial: Review recent transactions
4. Sign out all other sessions (most services have a “sign out everywhere” option)
5. Change passwords on connected accounts (anything using the same password or linked to the compromised account)

Follow-up actions (next 24 hours):

• Review login activity logs (most services show where and when your account was accessed)
• Check if the compromised password was used on other sites (if you reused it, change everywhere)
• Report the compromise to the service provider
• Alert contacts if the attacker may have sent messages from your account

Quick Check: Why should you check for email forwarding rules after an account compromise?

Scenario 2: Device Lost or Stolen

Your phone or laptop is gone.

Immediate actions:

1. Use Find My Device to locate, lock, or wipe remotely
   • iPhone: icloud.com/find
   • Android: android.com/find
   • Mac: icloud.com/find
   • Windows: account.microsoft.com/devices
2. Change passwords for all accounts logged in on that device (starting with email and banking)
3. Contact your phone carrier to suspend or lock your SIM card (prevents SIM-based authentication)
4. Enable lost mode on the device (displays a message for anyone who finds it)

Follow-up actions:

• Report to police (needed for insurance claims)
• Monitor financial accounts for unauthorized activity
• Revoke device access from cloud services (Google, Apple, Microsoft account settings)
• If the device had a password manager, check that master password was not saved on the device itself

If the device is recovered:

• Check for tampering before using it
• Run a security scan
• Change passwords that may have been visible on the lock screen

Scenario 3: Phishing Victim

You clicked a phishing link or entered credentials on a fake site.

Immediate actions:

1. Change the password for the account whose credentials you entered
2. Enable 2FA on that account
3. Scan your device for malware (the phishing link may have also installed something)
4. Check for unauthorized activity on the compromised account
5. Do not click any more links in the phishing email (if you have not already)

If you entered financial information:

• Contact your bank immediately to freeze or monitor the card
• Monitor your statements for unauthorized charges
• Request a new card number

Quick Check: What are the first two actions you should take if you realize you entered your password on a phishing website?

Scenario 4: Data Breach Notification

A company notifies you that your data was exposed in a breach.

Actions:

1. Change your password on that service immediately
2. Change any identical passwords on other sites (this is why reuse is dangerous)
3. Monitor for phishing related to the breach (attackers use breach data to craft convincing phishing emails)
4. Consider a credit freeze if financial data was exposed (free through credit bureaus)
5. Monitor financial statements for unusual activity over the next 3-6 months

Scenario 5: Identity Theft

Someone is using your personal information fraudulently.

Actions:

1. Place a fraud alert with one credit bureau (they notify the others):
   • Equifax: 1-888-766-0008
   • Experian: 1-888-397-3742
   • TransUnion: 1-800-680-7289
2. File an identity theft report at IdentityTheft.gov
3. Place a credit freeze with all three bureaus (prevents new accounts being opened)
4. Report to local police (you may need the report for disputes)
5. Monitor credit reports for unauthorized accounts

Your Personal Incident Response Card

Create a reference card with critical information you would need in an emergency:

INCIDENT RESPONSE CARD

DEVICE TRACKING
- iPhone/Mac: icloud.com/find
- Android: android.com/find
- Windows: account.microsoft.com/devices

FINANCIAL CONTACTS
- Bank: [PHONE NUMBER]
- Credit card: [PHONE NUMBER]
- Phone carrier: [PHONE NUMBER]

CREDIT BUREAUS
- Equifax: 1-888-766-0008
- Experian: 1-888-397-3742
- TransUnion: 1-800-680-7289

IDENTITY THEFT
- Report: IdentityTheft.gov
- FTC: ReportFraud.ftc.gov

PASSWORD MANAGER
- Master password recovery: [YOUR METHOD]
- 2FA backup codes: [STORED LOCATION]

Print this card and keep a copy in your wallet or a secure location. You will not be able to search for these details calmly during a real incident.

Try It Yourself

Prepare your incident response plan now:

1. Fill in the incident response card above with your personal information
2. Verify you can access Find My Device for your phone and laptop
3. Confirm you know where your 2FA backup codes are stored
4. Test that you can log into your email from a different device
5. Store the completed card in a secure but accessible location

Key Takeaways

• Prepare your incident response plan before you need it because panic during an incident leads to mistakes and forgotten steps
• For account compromises, act fast: change password, enable 2FA, check for forwarding rules, and sign out all sessions
• For stolen devices, use Find My Device to lock or wipe remotely and immediately change passwords for accounts logged in on that device
• Keep a printed incident response card with critical phone numbers and account recovery information
• Data breach notifications require changing passwords on the affected service and any other service where you reused that password

Up Next

In Lesson 8: Capstone: Your Personal Security Plan, we will assemble everything into a comprehensive security plan with a step-by-step implementation checklist.