What happened is not mysterious. Data left the system, and it moved faster than management reacted. Logs existed, but no one looked at them in time. Backups were running, but no one tested restoration under pressure. A notification clock started ticking the moment the data crossed a boundary it should never have crossed. That is the moment most organisations miss.
Breaches are no longer exceptional events but operational facts. The abnormal part is not the intrusion; it is the hesitation that follows. In the cases I see, the entry point is rarely sophisticated. A reused password. An old VPN account. A finance laptop shared with a child for online classes. A cloud storage bucket was set to public because someone needed a file “just for today.” Technology does not fail dramatically. It fails quietly, one small permission at a time. Think of a breach like a hairline crack in a dam. The water does not arrive with a bang. It seeps. By the time you hear the sound, the pressure has already shifted downstream.
From an investigative standpoint, the first question is never “who did this?” It is “what moved, when, and under whose authority?” Data always leaves footprints. The problem is that many organisations overwrite them, rotate them away, or never collect them in the first place.
In Uganda, once personal data is exposed, the legal posture changes immediately. The Data Protection and Privacy Act, 2019 imposes a duty of security safeguards and timely notification to the regulator and affected data subjects. This is not a courtesy obligation. It is a statutory one. Delay converts a technical incident into a governance failure. At that point, responsibility shifts from IT to the organisation itself. Control rests with management. Liability follows control.
This is where many leaders misstep. They treat the incident as an IT clean-up exercise. It is not, my dears. It is an evidence preservation exercise with regulatory consequences. The moment a breach is suspected, routine system activity becomes risky. Auto-patching, log rotation, account resets, and even well-intended “hardening” can destroy the very artefacts needed to establish what happened.
In several verified cases across the region, organisations lost the ability to defend themselves, not because the breach was severe, but because internal teams wiped volatile data before forensic capture. Courts and regulators do not speculate in your favour when the evidence is gone. Silence created by poor handling is interpreted as concealment or incompetence. Neither helps.
Technology matters here, but only if you understand it at a granular level. Logs are not one thing. There are authentication logs, application logs, database transaction logs, API gateway logs, cloud audit trails, endpoint artefacts, and mobile device caches. Each tells a different story. A login at 02:14 means nothing unless you correlate it with file access at 02:16 and outbound traffic at 02:18. Breach timelines are built minute by minute, not headline by headline.
I often tell boards that if money goes missing from a vault, you do not repaint the walls first. You freeze the scene. You count. Check physical access controls, cameras, who knows what, etc. You trace serial numbers. Data breaches are no different. Yet organisations rush to “fix” systems before they understand the loss. That instinct feels responsible. It is legally dangerous.
Another common blind spot is third-party exposure. Most breaches today pass through someone you trusted. A payroll processor. A CRM vendor. A marketing agency with API access. Contracts often mention security in vague language, but rarely specify log access, incident cooperation timelines, or evidence retention duties. When the breach happens, you discover too late that you do not control the records you need. Responsibility still sits with you.
There is also a human layer that investigators watch closely. Internal messages after the incident. Who knew what, and when. Who decided not to escalate? Who used casual language in an email that later reads like indifference? Regulators read those messages. So do courts. Tone becomes evidence.
Winning organisations accept a hard truth early: prevention reduces frequency, not certainty. The real differentiator is readiness. That means having an incident protocol that starts with evidence, not blame. A legal hold that is triggered automatically. A named decision-maker who understands when to stop system changes. Pre-agreed notification thresholds. External forensic capability on standby, not negotiated in panic.
The breach itself is not the scandal. The response is. Every serious investigation I have handled ends the same way. The technology tells a clear story once it is respected. The law is predictable once obligations are understood. What remains unpredictable is leadership under pressure.
If data is already out, the question is no longer how to avoid the incident. It is whether you will handle it in a way that causes damage or multiplies it. At that point, control is no longer theoretical. It is yours to exercise, or to lose.
Copyright IFIS 2026. All rights reserved.
