Cyber breach reporting: What to do if you’ve been attacked

No business wants the worst to happen, but if a cyber breach does strike, every minute counts – so it’s best to be prepared. That’s often the difference between a manageable incident and one which has a big impact on your operations. As part of your cybersecurity strategy, you should know what to do if you are the victim of a cyber breach.

We’ve created a comprehensive guide to provide you with essential steps you need to take for cyber breach reporting, covering everything from understanding what needs to be reported to security breach notification laws.

What is a cyber breach?

A cyber breach is any incident that results in the unauthorised access of data, applications, network, services or devices.

Do all breaches need to be reported?

While cyber breaches may have a significant impact on your organisation, under the General Data Protection Regulation (GDPR) – the EU law that governs how personal data must be handled – they don’t need to be reported unless they involve personal data. Specifically, they only need to be reported if there is a breach to personal data that’s likely to pose a risk to the rights or freedoms of the affected individuals.

Here are some examples of when you might need to report a breach – and when you don’t.

You would need to report any of the following incidents:

• A malware attack that encrypts, corrupts or steals personal data like customer records or employee information.

• An insider threat where a staff member has misused their access to steal personal data.

• An employee accidentally sending personal information to the wrong recipient.

• Someone breaking into your office and stealing devices that contain customer information.

On the other hand, you would not need to report these incidents:

• Ransomware attacks that only encrypt business files or internal documents, without any personal data.

• DDoS attacks that disrupt website availability but don’t access customer data.

• Theft of devices that only contain business information.

And while these non-personal data incidents don't require GDPR reporting, they may still need to be reported elsewhere, such as to law enforcement if they're criminal, or to sector regulators depending on your business type.

What are the main causes of personal data breaches?

In Q1 of 2025, the ICO reports 75% of incidents reported were actually non-cyber incidents, with data being emailed to the wrong recipient being the most common cause (18%), followed by ‘other non-cyber incidents’ (15%). These were then followed by the following incidents:

• Unauthorised access (11%)

• Phishing (11%)

• Failure to redact (7%)

• Other cyber incident (7%)

• Ransomware (5%)

• Data posted or faxed to incorrect recipient (5%)

• Loss/theft of paperwork or data left in insecure location (5%)

• Hardware/software misconfiguration (4%)

• Failure to use bcc (3%)

• Verbal disclosure of personal data (3%)

• Data of wrong data subject shown in client portal (2%)

• Loss/theft of device containing personal data (1%)

• Malware (1%)

This list just goes to show that the biggest threat when it comes to personal data breaches isn’t necessarily from malware, ransomware or other cyber attacks – it’s actually from your own staff. That’s why it’s so important to train your staff in security best practice and have clearly documented policies.

How do you report a cybersecurity breach?

You can easily report personal data breaches through your country’s online notification portal. Before reporting the breach, take the time to gather as much information as possible, including:

• The nature and scope of the breach

• Approximate number of affected individuals

• Likely consequences

• Any measures taken to address the incident

However, you don’t need to have all the facts – you can report a breach before you know all the details. The most important thing is the data breach report time, as you must report it as soon as you realise an incident has occurred.

You’ll also need to provide:

• Contact information for you

• Contact information for your organisation or the organisation you are reporting on behalf of

• Any details of how the cyber incident started and how the organisation was affected

Once you’ve reported the breach online, the governing body will get in touch with you to understand more. They may ask questions like:

• What happened?

• How did you find out about the breach?

• Who’s been affected by it?

• What actions have you taken?

• Who have you told about the breach?

Note that reporting requirements vary in different areas and you should refer to your local data protection authority to ensure that you understand when you need to report breaches and what information should be included.

Other cyber breach reporting

Not all cyber attacks involve personal data, but many still require reporting or action. Here's what you need to know about reporting other types of cyber breaches:

• Cyber crimes

Any cyber attack that successfully breaches your defences should be reported as a crime, even if no personal data was put at risk. That includes breaches such as ransomware attacks, DDoS attacks, phishing and hackers.

These breaches should be reported to your local data protection agency.

• Financial incidents

Any cyber attack that results in financial loss or suspected fraud should be reported immediately to Action Fraud and your bank’s fraud team.

• Critical infrastructure and essential services

If your business provides essential services (energy, transport, health, digital infrastructure, etc) or you're a digital service provider, you may need to report significant cyber breaches to the National Cyber Security Centre (NCSC).

Download your breach response toolkit

Use this step-by-step framework to ensure you respond effectively to data breaches (whether cyber or non-cyber), while maintaining compliance and minimising business impact. Want to find out more about cyber reporting or cybersecurity across the board? Our V-Hub Digital Advisers are here to help.