Skip to content

How to Report a Cyber Attack: UK Business Step-by-Step Guide

Updated

If your business has been hit by a cyber attack, knowing who to contact and what steps to take can make the difference between a contained incident and a full-blown crisis. In the UK, there are clear reporting obligations and recommended channels for businesses of all sizes.

This guide walks you through the reporting process step by step, covering the key organisations to contact, your legal obligations under UK GDPR, and how to manage the immediate aftermath of an attack.

Immediate Steps After a Cyber Attack

Before focusing on reporting, take these critical actions to limit the damage:

  • Isolate affected systems — disconnect compromised devices from the network and the internet to stop the attack spreading
  • Do not turn off devices — forensic investigators may need volatile data stored in memory
  • Document everything — record the time of discovery, what you observed, which systems are affected, and any error messages or ransom notes
  • Alert your IT team or managed service provider — they should begin incident response procedures immediately
  • Preserve evidence — do not delete emails, wipe systems, or attempt to fix the issue before it has been investigated

Who to Report a Cyber Attack to in the UK

There are several organisations you should contact, depending on the nature and severity of the attack:

1. Action Fraud — the UK's National Reporting Centre

Action Fraud is the primary reporting service for cyber crime in England, Wales, and Northern Ireland. All businesses should report cyber attacks here.

  • Online: www.actionfraud.police.uk
  • Phone: 0300 123 2040 (Monday to Friday, 8am–8pm)
  • You will receive a crime reference number for insurance and regulatory purposes

In Scotland, report directly to Police Scotland by calling 101.

2. National Cyber Security Centre (NCSC)

The NCSC provides incident response guidance and, for significant attacks, can offer direct support. Report incidents through their website at ncsc.gov.uk/report. The NCSC is particularly relevant if the attack affects critical infrastructure, large volumes of personal data, or essential services.

3. Information Commissioner's Office (ICO)

If the attack involves a breach of personal data — customer records, employee information, or any data that could identify individuals — you have a legal obligation under UK GDPR to assess and potentially report it to the ICO.

  • You must report within 72 hours of becoming aware of a qualifying breach
  • A breach must be reported if it poses a risk to the rights and freedoms of individuals
  • Report online at ico.org.uk using their personal data breach reporting tool
  • If the breach is high risk, you must also notify the affected individuals directly

Failure to report a qualifying breach to the ICO can result in significant fines — up to £17.5 million or 4% of annual global turnover.

4. Your Cyber Insurance Provider

If you have cyber insurance, notify your insurer as early as possible. Most policies require prompt notification and may provide access to specialist incident response teams, legal counsel, and forensic investigators. Delayed reporting can void your coverage.

5. Your Clients and Partners

If the breach could affect your clients' data or systems, transparency is essential. Notify affected parties promptly, explain what happened, what data may be involved, and what steps you are taking. This is both a legal requirement in many cases and critical for maintaining trust.

Step-by-Step Reporting Timeline

Here is a practical timeline for managing your reporting obligations after a cyber attack:

  • Hour 0–1: Isolate systems, alert IT support, begin documenting the incident
  • Hours 1–4: Assess the scope — what systems, data, and services are affected
  • Hours 4–24: Report to Action Fraud, contact your cyber insurance provider, begin forensic investigation
  • Within 72 hours: If personal data is breached, report to the ICO. Notify the NCSC if the attack is significant
  • Within 1 week: Notify affected individuals if the breach is high risk. Communicate with clients and partners as appropriate
  • Ongoing: Work with forensic investigators, restore systems from clean backups, conduct a post-incident review

What Information You'll Need to Provide

When reporting to the ICO, Action Fraud, or your insurer, be prepared to share:

  • A description of the nature of the attack (ransomware, phishing, data theft, etc.)
  • When the incident was discovered and when it is believed to have started
  • What data or systems have been affected
  • The approximate number of individuals whose data may be compromised
  • What containment and remediation steps have been taken
  • Contact details for the person managing the incident response

How to Prepare Before an Attack Happens

The time to plan your response is before you need it. These preparations make reporting faster and recovery smoother:

  • Create an incident response plan — document roles, responsibilities, and contact details for key stakeholders
  • Conduct regular security audits — identify vulnerabilities before attackers do. Learn more about what to expect from a security audit.
  • Invest in ransomware protection — prevention is always better than response. See our guide on ransomware protection for UK businesses.
  • Maintain up-to-date asset registers — know what systems and data you hold
  • Test your backups — confirm you can restore systems quickly when needed
  • Train your staff — employees should know how to recognise attacks and who to alert internally

Get Help with Cyber Security and Incident Response

Connection Technologies works with UK businesses to put the right cyber security defences and response plans in place. From managed detection services to security audits and endpoint protection, we'll connect you with the right provider for your needs.

Need IT Support?

Get expert cyber security and incident response planning for your business.

Get a Free IT Quote

Other articles in Cyber Security & IT Security

Business Antivirus vs EDR: Which Does Your Company Need?Cyber Essentials Certification: What It Is & How to Get CertifiedCyber Security for Small Business UK: Essential Protection Guide 2026EDR vs MDR vs XDR: Endpoint Security Explained for UK BusinessesNetwork Security for Business: Firewalls, Monitoring & Best PracticesVulnerability Assessment & Management: Protect Your BusinessWhat Is Phishing? How to Spot and Avoid Phishing EmailsWhat Is Ransomware? A Business Guide to Prevention & ResponseWhat Is SIEM? Security Monitoring Explained for UK BusinessesWhat Is Social Engineering? Common Attacks and How to Defend Against ThemWhat Are Cyber Security Services for Business?IT Security Audit: What to ExpectBusiness Continuity and Disaster RecoveryCyber Security Packages for BusinessIT Security Services for BusinessSecurity Audit for Your Business ITWhat Is Cyber Essentials Plus?

©Connection Technologies 2026. All Rights Reserved.

Connection Technologies Limited is authorised and regulated by the Financial Conduct Authority, reference FRN 958225

Registered office: Fareham Innovation Centre, Merlin House, 4 Meteor Way, Fareham, Lee-on-the-Solent, PO13 9FU.

Registered in England and Wales, Company No. 11630924

Connect with Us

Linkedin
Sitemap