I would start with where the breach was reported and backtrack to the source as quickly as possible. Many times a breach can be attributed to a firewall misconfiguration or public-facing service.