Problem: We have been notified that the vendor who provides our payment card processing software in our cafeteria has been breached. This vendor has access to our system via a VPN with standalone credentials in order to update and maintain their software.
The vendor is unable to determine whether the credentials that they use to access our organization were compromised during the breach. According to the notification, the breach was discovered 26 hours ago, however there is evidence that the perpetrators have been in the vendor's systems for up to 7 weeks. What steps would you take to tackle this potential breach and in what order?