A Google Workspace breach can spread quickly across Gmail, Drive, Docs, Calendar, and Admin Console settings.
This guide explains how to create a data breach checklist for Google Workspace that helps teams contain incidents fast and document every critical step.
Why a Google Workspace breach checklist matters
Google Workspace is a central hub for business email, file storage, collaboration, identity, and device access.
When an account is compromised, attackers may use OAuth tokens, forwarding rules, shared drives, or admin privileges to move laterally and exfiltrate data.
A checklist gives incident responders a repeatable process.
It reduces decision fatigue, improves consistency, and helps ensure the organization preserves evidence for forensics, legal review, cyber insurance, and regulatory obligations.
What a Google Workspace data breach checklist should cover
An effective checklist should address identity, email, storage, devices, logs, notifications, and recovery.
It should be usable by IT, security, legal, HR, communications, and leadership during the first hours of an incident.
- Scope: which accounts, groups, devices, and services are affected
- Containment: how to stop unauthorized access quickly
- Evidence: which logs and artifacts to preserve
- Notification: who must be informed internally and externally
- Recovery: how to restore safe access and validate controls
Step 1: Identify the incident and classify severity
Start by defining what happened.
A suspicious login is not the same as a confirmed data exfiltration event, and your response should scale accordingly.
Checklist items for triage
- Confirm the alert source: user report, Google alert, SIEM, CASB, or support ticket
- Identify the affected user, group, or admin account
- Determine whether the event involves Gmail, Drive, Meet, Chat, Calendar, or Admin Console
- Assess whether data was accessed, forwarded, shared externally, or downloaded
- Assign severity based on privilege level, data sensitivity, and blast radius
For high-risk incidents, immediately escalate to security leadership and legal counsel.
If regulated data such as PII, PHI, PCI data, or financial records may be involved, treat the matter as time sensitive from the start.
Step 2: Contain access in Google Workspace
Containment should be fast and deliberate.
The goal is to stop the attacker from continuing to access mail, files, or admin settings while preserving evidence for investigation.
Checklist items for containment
- Force password reset for the affected account
- Revoke active sessions and sign out all web and mobile devices
- Disable suspicious accounts or suspend the user if necessary
- Revoke third-party OAuth app access
- Remove unauthorized forwarding rules, filters, and delegations
- Review and lock down shared drives, groups, and external sharing settings
- Disable or restrict compromised admin roles if an admin account is involved
If a super admin account is compromised, prioritize account recovery and privilege containment immediately.
In environments with multiple admins, use a break-glass account protected by strong authentication and strict monitoring.
Step 3: Preserve evidence before making changes
Every change made during response can affect the investigation.
Before deleting rules, revoking access, or restoring accounts, capture what happened so investigators can reconstruct the timeline.
Checklist items for evidence preservation
- Export Gmail, Drive, and Admin audit logs
- Record timestamps, IP addresses, geolocation data, and device identifiers
- Capture screenshots of suspicious forwarding rules, delegated access, or sharing settings
- Save alert notifications and incident ticket history
- Document who took each containment action and when
- Preserve relevant email headers and message IDs
If your organization uses Google Vault, include relevant Vault searches, retention settings, and holds.
If you have a SIEM such as Splunk, Microsoft Sentinel, or Chronicle, preserve correlated security events from identity providers, endpoint tools, and network logs.
Step 4: Investigate the attack path
Understanding the initial entry point helps prevent recurrence.
Common Google Workspace compromise paths include phishing, credential reuse, stolen cookies, malicious OAuth grants, and unmanaged devices.
Checklist items for root-cause analysis
- Review recent login activity and unfamiliar devices
- Check for MFA fatigue or suspicious second-factor prompts
- Inspect OAuth consent history for risky applications
- Review recent password resets and recovery email changes
- Assess whether endpoint malware or browser session theft played a role
- Look for mass downloads, unusual Drive sharing, or mailbox forwarding
Compare user behavior against baseline patterns.
For example, a finance user downloading thousands of files from a shared drive at midnight or a sales executive sending large volumes of external emails may indicate abuse of legitimate access.
Step 5: Notify the right stakeholders
Breach response is not only a technical task.
Timely communication helps the organization meet contractual, legal, and reputational obligations.
Checklist items for notifications
- Alert security leadership and the incident response lead
- Notify legal and privacy teams if regulated information may be affected
- Inform HR if employee accounts or personnel records are involved
- Coordinate with communications or PR for external messaging
- Update executives with clear impact and status summaries
- Engage the cyber insurer if policy notification is required
If customer data may have been exposed, work with legal counsel to determine notice requirements under applicable laws such as GDPR, state breach statutes, or industry-specific regulations.
Step 6: Recover safely and verify controls
Recovery should restore access without reintroducing risk.
Rebuilding trust in the account and the tenant is more important than simply unlocking the user.
Checklist items for recovery
- Reset passwords and enforce MFA for affected accounts
- Remove unauthorized inbox rules, apps, and delegations
- Audit all recent sharing changes in Drive and shared drives
- Review account recovery options and security keys
- Reimage or sanitize compromised endpoints if needed
- Validate that logging, alerting, and retention controls are active
For privileged accounts, consider rotating tokens, reviewing role assignments, and verifying that no hidden service account access remains.
In larger environments, confirm the same issue does not exist across other users or business units.
Step 7: Document lessons learned and harden the tenant
A checklist should not end when the account is restored.
The post-incident phase is where organizations strengthen controls and reduce the chance of repeat compromise.
Checklist items for improvement actions
- Require phishing-resistant MFA for admins and high-risk users
- Limit external sharing and domain-wide delegation
- Review OAuth app controls and app whitelisting policies
- Enforce context-aware access and device trust
- Set alerts for suspicious forwarding rules and mass downloads
- Train users on phishing, consent scams, and credential theft
- Test backup, retention, and restoration procedures
Document what failed, what worked, and what should change in policy or configuration.
This helps convert a single incident into measurable security improvement.
Simple template for your Google Workspace breach checklist
You can adapt the following structure to your environment and incident severity.
- Detection: source, time, affected accounts, severity
- Containment: password reset, session revocation, app removal, sharing restrictions
- Preservation: logs, screenshots, headers, audit exports
- Investigation: login history, OAuth activity, forwarding rules, endpoint status
- Notification: internal stakeholders, legal, insurer, regulators, customers if needed
- Recovery: MFA, access review, endpoint cleanup, control validation
- Remediation: policy updates, training, alert tuning, hardening
Tools and Google Workspace features to include
When building your checklist, map steps to the specific tools your team uses.
Useful capabilities often include the Google Admin Console, Gmail audit logs, Drive audit logs, Security Center, Alert Center, Google Vault, and third-party SIEM or SOAR platforms.
Teams using identity providers such as Okta, Entra ID, or Ping Identity should also include SSO logs, MFA events, and conditional access records.
Endpoint protection platforms like CrowdStrike, Microsoft Defender for Endpoint, and SentinelOne can add context about malware, browser compromise, or device compromise.
By combining Google Workspace telemetry with identity and endpoint data, responders can identify whether the breach began with phishing, token theft, or a compromised device.