© 2017 The Author(s).Repository managers can never be one hundred percent sure of the security of hosted research data. Even assuming that human errors and technical faults will never happen, repositories can be subject to hacking attacks. Therefore, repositories accepting personal/sensitive data (or other forms of restricted data) should have workflows in place with defined procedures to be followed should things go wrong and restricted data is inappropriately released. In this paper we will report on our considerations and procedures when restricted data from our institution was inappropriately released.