Ttdfjt

First take screenshots of what you find. For the data that is yours, you should catalogue that. Personally, I would download it so you have a reference. You should take screenshots of your own data and avoid data that is not yours. Make sure you include the URLs. Document those in a way that a lawyer can understand. This is likely to become a legal problem, not an IT problem. I say "screenshots" because that is unambiguous and lawyers understand screenshots.

Contact your internal lawyers, plus your communications or media people. You need to get this breach onto their radar. The lawyers will then need to look into the commercial contract with the contractor, probably via the account management team if you work for a big old company. No one in senior leadership will want to find out about it from everyone's favourite IDS: Twitter. Your comms / PR teams will need to deal with any messages that come about from this. Your executive team may need to be involved. You should get guidance from your CIO unless you are the CIO, in which case I would be inclined to inform people internally.

Engage with your company data protection officer. That may be the lawyer. They will decide if the breach is GDPR / ICO notifiable. You have to do this quickly as you have 72 hours to make the decision from the point you are aware; that includes the weekend (never go looking for incidents on a Friday…). Your DPO will advise. If you are the DPO then you might want to engage your company external legal counsel to confirm your decisions.

Once you have looked at the data, you will be able to advice how many data subjects are affected, if any. You will also be able to determine if the data breach affects any of your clients as you may have a contractual obligation to inform them.

Contact the hosting company. If it's something like GitHub then they may be inclined to play nicely. You may need to get your lawyers to write to them as officers of the company.

Contact the contractor, ideally via their contracted company, and via the in-house lawyer. Demand they take down what is there.

Now you can start to work out the material impact to your business. Credentials, keys and other authentication tokens will need to be changed I expect.

Depending on the size of your company, your appetite for risk, and your pocket size, you might want to consider bringing in a forensics-type company to go out hunting for similar data. Yes I know it's a bit of security theatre, but if you work for a FTSE100 firm then a report with a Big4 audit badge saying "no more issues" is exactly what you need should the midden hit the windmill. (I am amazed at what I see big firms spend on such reports as, of course, the same thing from an internal person is often considered to count for little).

I am not sure about the data that is not yours. If you start trying to engage with third parties then you are bound to be asked what data you have got from them and they are bound to ask you to confirm that any data you have taken has been deleted. Personally I'd be inclined to ignore any data that is not mine. You might want to make a disclosure to whomever you think is the data owner, entirely up to you.

You mention keylog; if you are wondering why an individual might have a keystroke logger on their own PC then well to be generous they might be using it as a simple backup of what they type. I know people who have done that.

Aside: Finally as a tangential observation, what you have found is not that uncommon. People store all kinds of junk; for example people link their home data storage to the internet via FTP: we run regular assessments for such data that contains our company strings.

You typically want to contact the hosting company to take it down and hold all data and logs under a legal hold.

You could also contact the other companies affected.

Legally, you will need to contact a lawyer and the law enforcement in your jurisdition.

It should go without saying, but make sure that those login credentials are not working on your system. If they weren't deactivated when he left your organization (when they should have been), you'll want to audit your access logs to make sure they haven't been used since he left -- if they were on a public website where anyone could find them, you should assume that someone has tried them.

Keep a careful log of everything you're finding, including details like when and how you're finding it. Law enforcement will want to know. You may very well have to testify in court about this one day -- even if your company doesn't sue, the other companies might, and you will look more professional if you have all the details ready when they call you as a witness.

If you are a regular member of staff at the company, your correct escalation should be through the Infosec team, and fall back to the Legal and IT departments if your company isn't big enough to have a dedicated Infosec team. I would also copy HR on any communication.

This is an extremely serious scenario. If you don't know what to do (and the fact that you are very sensibly asking for advice on Stack Exchange shows that you don't) then you need to pass this over to the teams within your company that do.

Don't try to do anything outside of the company by yourself.

Provide your Infosec/IT/Legal teams with the URLs to the information that is hosted on that site.

If you have downloaded information that relates to other companies, delete it. It is confidential information that you should not be in possession of. Instead, let your Infosec/IT/Legal teams contact the other companies in an official capacity.

For getting it taken down, you could have a US lawyer issue a DMCA takedown notice to the hosting provider, asserting that you own the content and have not consented to it being distributed - this should get an immediate reaction if the hosting provider honours DMCA notices, to which the contractor can respond.

I have been in a similar situation. I contacted my boss and the owner immediately (we only had 25 people). The owner handled everything, but he asked me to be available for a phone call. Since this involved a DOD contractor in the US, it was a DOD responsibility. We were never told the outcome.

Let the owner/COO/corporate counsel contact law enforcement.

US law enforcement loves to trap people for perjury. Always have a lawyer's advice and a lawyer present when you speak with law enforcement.

Let the lawyers handle any screenshots.

Let law enforcement notify other entities that their sensitive information has leaked.

This is an addition to the other answer from the top (currently). I understand it's been 3 days already and we won't see an answer from OP, but I strongly suggest to anyone that will have this happen to them to consider the following.

Understand how data leaks usually happen: third party contractors are targeted first. I will tell you that even the lowest, but serious threat actor has the capability to gather immense throves of data on your company, contractors and its internals so it will be known who contractors are. You might not believe it, but HR software your company uses to manage its employees are more vulnerable than a defenseless cat cornered by 10 wolves.

Often times these contractors aren't serious about security and are way, way easier to penetrate than the company itself which might have bolstered defenses. Think about it this way -- why go through the main company's defenses when you can go after its contractors or low-tier employees who have no idea about security?

By proxy, I know of a case where a country's entire research division that was made of universities, the defense department and others had several servers where they'd upload "research results & schematics". There was a professor who had an old chatting server that was very abusable. They got inside the pretty beefy research network through that guy's chatting server after pinballing through close to a dozen computers before going there.

You might have a case of a contractor getting hacked. People who would land themselves in jail like this and have their lives ruined are very, very rare and often times mentally ill. Statistically speaking, there's no way he did this himself and by contrast, it means someone else leaked the information to hurt the main company. He's just a pawn.

You also hinted at this being a strong possibility with "why would he keylog himself?". No one does that. You also said that you saw dumps of logs and tokens that were one-time use. Who do you think could be looking for these when you think about the contractor, a hacker targeting the company through this contractor and the company?

Something smells bad here.

As the top answer said, go to a lawyer, but don't go in bad faith.

First, suggest you to change credentials of everything you know of. There are hackers who love this kind of data and use this for their own usage like cyber attack, ransom ware and etc.

Also same time initiate the complain to take down the site and stop spread of data on internet.

These are important. First protect your business. Later you can go for legal proceedings on the person.