The Colonial Pipeline Attack Changed Incident Reporting Forever

In May 2021, the Colonial Pipeline ransomware attack shut down fuel distribution across the U.S. East Coast. The company paid a $4.4 million ransom. But here's what most people missed: Colonial Pipeline reported the incident to the FBI within hours — and that fast reporting led to the recovery of roughly $2.3 million of that ransom payment. Knowing how to report a cyber incident literally saved them millions.

If your organization experiences a breach, a ransomware attack, or even a suspicious phishing email that succeeded, the clock starts ticking immediately. Who do you call? What do you report? In what order? Most organizations I've worked with don't have clear answers to these questions until it's too late.

This guide walks you through exactly what to do, who to contact, and the timelines that matter. Whether you're a small business owner, an IT administrator, or a security-conscious employee, these steps could be the difference between a contained incident and a catastrophic breach.

What Counts as a Cyber Incident Worth Reporting?

Not every spam email requires a federal report. But a surprising number of incidents go unreported because people aren't sure they qualify. Here's a clear breakdown.

Incidents You Should Always Report

  • Ransomware attacks — any encryption of files with a ransom demand, even if you don't pay.
  • Data breaches — unauthorized access to personal data, financial records, health information, or intellectual property.
  • Business Email Compromise (BEC) — a threat actor impersonates an executive or vendor to redirect funds or steal credentials.
  • Credential theft — confirmed unauthorized access using stolen usernames and passwords.
  • Successful phishing attacks — an employee clicked a link or submitted credentials to a fraudulent site, and systems or data were compromised.
  • Network intrusions — any evidence of unauthorized access to your systems, even if no data was visibly taken.
  • Denial-of-service attacks — sustained attacks that disrupt your operations.

The FBI's Internet Crime Complaint Center (IC3) received 847,376 complaints in 2021, with reported losses exceeding $6.9 billion — a 7% increase in complaints and a 64% increase in losses compared to 2020. Many of those losses grew larger because reporting was delayed.

How to Report a Cyber Incident: The Exact Steps

Here's the sequence I recommend to every organization I advise. Order matters. Acting in parallel is even better if you have the team for it.

Step 1: Contain First, Then Report

Before you pick up the phone, stop the bleeding. Isolate affected systems from the network. Don't power them off — forensic evidence lives in memory. Disconnect the Ethernet cable or disable Wi-Fi. If it's a compromised account, reset the password and revoke active sessions immediately.

This step takes minutes, not hours. Don't skip it to start reporting. A still-active intrusion will cause more damage while you're on hold with a hotline.

Step 2: Report to the FBI's IC3

File a complaint at ic3.gov. This is the FBI's central intake for all cyber crime reports in the United States. You'll need:

  • Date and time of the incident
  • How the attack occurred (phishing email, exploited vulnerability, social engineering, etc.)
  • What systems or data were affected
  • Any financial losses
  • IP addresses, email addresses, Bitcoin wallet addresses, or other indicators of compromise
  • Any communications from the threat actor

I've seen organizations skip IC3 because they think it's just a form that goes into a void. It isn't. IC3 data feeds directly into FBI field offices, and in cases involving wire transfers or ransomware payments, they've recovered funds — sometimes within days.

Step 3: Contact CISA

The Cybersecurity and Infrastructure Security Agency (CISA) is your go-to for technical assistance. Report incidents at cisa.gov/report or call their 24/7 hotline at (888) 282-0870.

CISA doesn't investigate crimes — that's the FBI's job. But CISA can help you understand the attack, provide technical indicators, and connect you with resources to recover. They also use your report to warn other organizations about active threats. If your incident involves critical infrastructure, CISA reporting is especially important.

Step 4: Notify Your State Attorney General

Every U.S. state has data breach notification laws. If personal information was compromised — names, Social Security numbers, financial account numbers, health data — you're likely legally required to notify affected individuals and your state's attorney general.

Timelines vary. Some states require notification within 30 days. Others give you 60 or 90. A few, like Florida, require notification within 30 days of discovery. Don't guess — check the FTC's resource page or consult legal counsel immediately.

Step 5: Notify Affected Individuals

This is where it gets uncomfortable, but it's non-negotiable. If personal data was exposed, the people whose data was stolen have a right to know. Your notification should include:

  • What happened, in plain language
  • What data was compromised
  • What you're doing about it
  • What they should do (monitor credit, change passwords, enable multi-factor authentication)
  • A point of contact for questions

Don't bury this in legal jargon. I've reviewed breach notifications that were clearly written by lawyers trying to minimize liability rather than actually inform people. That approach backfires — it generates media attention, regulatory scrutiny, and lawsuits.

Step 6: Report to Your Cyber Insurance Carrier

If you have a cyber insurance policy, report the incident immediately. Most policies have strict reporting windows — some as short as 24 to 72 hours. Missing that window can void your coverage entirely.

Your carrier will likely assign a breach coach — an attorney who coordinates the response, including forensics, notification, and credit monitoring services. Let them help. That's what you're paying for.

What If You're an Employee, Not the CISO?

Most of this guide assumes you're the decision-maker. But what if you're an employee who just clicked a suspicious link or noticed something weird on your workstation?

Report it internally immediately. Don't wait to see if it's "really" a problem. Don't try to fix it yourself. Your IT or security team needs to know now, not after lunch.

The 2021 Verizon Data Breach Investigations Report found that 85% of breaches involved a human element. That means most incidents start with someone at a keyboard. If that person reports it in minutes instead of hours, containment is dramatically more effective.

Organizations that invest in cybersecurity awareness training see faster internal reporting times because employees understand what to look for and aren't afraid of being punished for speaking up. Building that culture is just as important as having a technical response plan.

The Ransomware Reporting Question Everyone Asks

Should I Report Ransomware if I Paid the Ransom?

Yes. Absolutely. The FBI's official position is that you should report ransomware attacks regardless of whether you paid. They don't recommend paying, but they understand the business reality. Reporting helps law enforcement track threat actor groups, recover funds, and develop decryption tools.

In 2021, FBI IC3 received 3,729 ransomware complaints with adjusted losses of over $49.2 million. They believe this number dramatically underrepresents reality because so many victims don't report. Every unreported incident makes the next attack more likely — for you and for everyone else.

Industry-Specific Reporting Requirements You Can't Ignore

Depending on your industry, you may have additional reporting obligations beyond general law enforcement and state notifications.

Healthcare (HIPAA)

If protected health information (PHI) is compromised, you must notify the HHS Office for Civil Rights within 60 days for breaches affecting 500+ individuals. Smaller breaches can be reported annually, but don't delay your investigation.

Financial Services

Banks and financial institutions regulated by the OCC, FDIC, or Federal Reserve have specific incident notification requirements. The new Computer-Security Incident Notification Rule, finalized in November 2021, requires banking organizations to notify their primary federal regulator within 36 hours of a significant incident.

Government Contractors

If you hold federal contracts, DFARS clause 252.204-7012 requires reporting cyber incidents to the Department of Defense within 72 hours. This isn't optional, and non-compliance can cost you your contract.

Build Your Incident Reporting Plan Before You Need It

The worst time to figure out how to report a cyber incident is during the incident itself. I've watched organizations lose critical hours because no one knew the IC3 URL, the CISA hotline number, or which state laws applied to them.

Your Incident Reporting Checklist

Print this out. Put it in your incident response binder. Make sure at least three people in your organization know where it is.

  • FBI IC3: ic3.gov — file online complaint
  • CISA: cisa.gov/report or (888) 282-0870
  • Local FBI Field Office: look up your nearest office now, not during the incident
  • State Attorney General: identify your state's breach notification portal
  • Cyber Insurance Carrier: policy number, claims hotline, reporting deadline
  • Legal Counsel: have a breach attorney on retainer or at least identified
  • Internal IT/Security Team: clear escalation path, after-hours contacts

Run tabletop exercises at least annually. Walk through a scenario — say, a credential theft that escalates to ransomware — and practice the reporting chain. You'll find gaps every single time.

Phishing: The Incident That Almost Always Comes First

In my experience, the majority of incident reports trace back to a phishing email. A credential theft here, a malware download there — it almost always starts with social engineering. The 2021 Verizon DBIR confirmed that phishing was present in 36% of breaches, up from 25% the prior year.

This is why phishing awareness training for your organization isn't just a nice-to-have — it's your front line. When employees can recognize and report phishing attempts before they succeed, you move from incident response to incident prevention. Phishing simulation programs let you test your team in realistic scenarios and measure improvement over time.

Pair that training with multi-factor authentication across all accounts, and you've dramatically reduced the attack surface that leads to reportable incidents in the first place. A zero trust approach — never trust, always verify — makes every access request prove its legitimacy.

After the Report: What Happens Next

Filing reports isn't the end. Here's what to expect.

From the FBI

IC3 will acknowledge receipt. If your case involves significant financial loss or is part of a larger pattern, a field office may reach out. Don't expect immediate contact for every report — but your data contributes to ongoing investigations even if you never hear back.

From CISA

If you requested technical assistance, CISA may provide indicators of compromise, mitigation guidance, or direct support. They may also issue an alert based on your report to protect others.

From Your State

The attorney general's office may follow up with questions about your notification process, the scope of the breach, and your remediation steps. Cooperate fully. This isn't adversarial — unless you've been negligent.

From Your Insurance Carrier

Expect a forensics firm to be assigned. They'll image affected systems, analyze the attack path, and produce a report that guides both your recovery and any legal proceedings.

Stop the Next Incident Before It Requires a Report

Every incident report I've helped an organization file has reinforced one lesson: the organizations that invest in prevention spend far less time on response. Security awareness isn't a compliance checkbox — it's the single most effective control against the human-targeted attacks that dominate today's threat landscape.

Start building that muscle now. Equip your team with the knowledge to recognize threats, the confidence to report suspicious activity internally, and the tools to verify before they trust. That's how you move from reactive to resilient — and how you make sure the next time you need to know how to report a cyber incident, you're ready.