If you have noticed suspicious activity in your systems, one question matters most: was customer data actually stolen?
The TL;DR (too long; didn't read): What are the signs your data was stolen?
-
Unusual data transfers
-
Suspicious logins
-
Missing or staged files
-
Ransom or extortion messages
-
Customer reports of misuse
NIST’s incident response guidance has historically emphasized detection and analysis, containment, eradication, recovery, and post-incident improvement. Its current SP 800-61 Rev. 3 guidance frames incident response as part of broader cybersecurity risk management.
For small business owners, this is not just a technical issue. It affects customer trust, legal obligations, and the speed of your response. The FTC's data breach guide for businesses advises companies to move quickly to secure systems and fix vulnerabilities after a suspected or confirmed breach because delay increases the risk of additional harm.
What counts as data theft?
A cyber incident becomes much more serious when sensitive information is accessed, copied, or disclosed without authorization. Verizon distinguishes security incidents from confirmed data breaches; in DBIR terminology, a breach involves confirmed compromise or disclosure of data to an unauthorized party, not merely suspicious activity.
This can include customer names, email addresses, phone numbers, payment-related data, passwords, and internal business files. NIST's incident handling guidance focuses on analyzing logs, network traffic, and other evidence to understand whether an incident involved unauthorized access or loss of confidentiality.
Signs your business data was stolen
Unusual outbound traffic
One of the most important warning signs is unusual outbound traffic. NIST incident response guidance highlights monitoring and analyzing incident data, while practical guidance based on NIST specifically identifies unusual outbound traffic as a sign that data exfiltration may be taking place.
If your business normally sends modest amounts of data but suddenly shows large uploads, overnight transfers, or connections to unfamiliar destinations, treat that as a serious red flag. Attackers often move data out quietly, outside normal business hours, to avoid attention.
Suspicious logins and account use
Another major clue is suspicious account activity. NIST recommends collecting and analyzing logs and forensic data so organizations can identify unauthorized access, assess scope, and classify the severity of incidents.
Look for logins from unfamiliar places, repeated failed login attempts followed by success, or employee accounts accessing customer records they do not normally use. If a legitimate account is compromised, attackers may browse and download data without setting off obvious alarms.
Missing, staged, or reorganized files
Data theft does not always mean files disappear, but attackers often gather files into one place before removing them. NIST's guidance on incident analysis and forensic backup supports reviewing affected systems for evidence of attacker activity, including how files were prepared and handled during the incident.
Warning signs include ZIP files you did not create, customer records copied into unusual folders, or large collections of files grouped for export. Even when the original files remain untouched, these staging behaviors can point to attempted or completed theft.
Ransom notes and extortion threats
If ransomware is involved, read the message carefully. The 2024 Verizon Data Breach Investigations Report discussion highlights ransomware and extortion as major breach patterns, and extortion threats often involve claims that data was copied before systems were encrypted.
A note saying “we copied your data” is not absolute proof on its own, but it should be treated as credible risk until proven otherwise. Businesses should not assume ransomware only affected availability; confidentiality may also have been compromised.
Customer reports and external alerts
Sometimes the first confirmation comes from outside the business. Customers may report phishing emails that use accurate personal information, or breach-monitoring services may alert you that company-related accounts have surfaced in known breach datasets.
These external clues matter because they show that stolen information may already be circulating or being misused. If customers start receiving scams that reference real account details or purchases, the possibility of data theft becomes much more likely.
How to confirm whether data was stolen
There is rarely one perfect piece of proof. NIST recommends analyzing logs, network traffic, and forensic evidence together so the organization can determine the nature, extent, and impact of an incident.
Start by checking who logged in, when they logged in, what systems they accessed, and whether large amounts of data left the environment. If the answer remains unclear, forensic specialists can help reconstruct attacker behavior and determine whether sensitive data was likely copied or removed.
What to do next
If theft looks possible, respond as though customer data may have been exposed. The FTC advises businesses to secure systems quickly, fix vulnerabilities, preserve evidence, and assess obligations to notify affected parties. (Notification requirements vary by state, country, industry, and type of data, so this is a good point to involve legal counsel or a qualified breach-response professional.)
Useful first steps include resetting passwords, enabling multi-factor authentication, isolating affected systems, preserving logs, and identifying which records may have been exposed. NIST also frames incident response as a lifecycle that includes detection and analysis, containment, eradication, recovery, and post-incident improvement.
Why this matters for small businesses
Small businesses are not too small to be targeted. The 2026 Verizon DBIR shows why small businesses need to pay attention to both people and systems: 31% of breaches now start with software vulnerabilities, 48% involve ransomware, and 62% involve the human element.
The longer a breach goes undetected, the harder it becomes to contain the fallout. Recognizing the signs early gives business owners a better chance to protect customers, reduce downtime, and make sound decisions under pressure.
Quick checklist
Use these questions to decide whether to escalate the incident as a possible data breach:
-
Did someone gain unauthorized access to systems or accounts?
-
Did they reach customer or business data that should have been protected?
-
Is there any sign that files were copied, staged, transferred, or misused?
If the answer is yes or probably yes across those questions, treat the situation as a serious breach risk and move into response mode.
Next week's topic
Next week, the focus shifts from detection to response: how to treat an incident as a confirmed data breach. That includes what to do in the first 24 to 72 hours, how to contain the damage, when customer notification may be necessary, and which early mistakes can make the situation worse.
