Discovering that your website has been hacked, or that customer data has been exposed, is stressful. Knowing in advance what to do — and in what order — makes an enormous difference to the outcome. Here is a step-by-step response guide.
Step 1 — Contain the breach immediately
Before anything else, stop further damage. Depending on the nature of the breach:
- Take the affected system offline if it's actively being exploited
- Revoke compromised credentials (passwords, API keys, tokens)
- Block the attacker's access vector (IP, exploit path)
- Preserve evidence — do not delete logs or affected files until they're documented
Do not restore from backup until you understand how the breach occurred — or the attacker may re-enter through the same vulnerability.
Step 2 — Assess what was exposed
Determine the scope of the breach. Ask:
- What personal data was potentially accessed or exfiltrated?
- Whose data is affected — customers, employees, prospects?
- How many individuals are affected?
- What categories of data are involved — names, emails, payment card data, health information, passwords?
- Is the data encrypted or hashed?
The answers determine what notifications are legally required.
Step 3 — Notify your supervisory authority (within 72 hours)
Under GDPR and UK GDPR, if the breach is likely to result in a risk to individuals' rights and freedoms, you must notify your supervisory authority within 72 hours of becoming aware of the breach. In the UK this is the ICO (report.ico.org.uk). In the EU, it's your national data protection authority.
The 72-hour clock starts when you become aware — not when the breach occurred. You do not need to wait until you have complete information; you can submit an initial report and follow up with more details.
If the breach is unlikely to result in risk (e.g., an encrypted backup file was lost with no evidence of access), notification may not be required — but document your reasoning.
Step 4 — Notify affected individuals
If the breach is likely to result in a high risk to individuals (e.g., financial data, medical records, passwords, or data that could enable identity theft), you must notify the affected individuals directly, without undue delay.
The notification must explain: what happened, what data was involved, likely consequences, and what steps you are taking to address it and protect them (e.g., password reset, credit monitoring advice).
Step 5 — Notify other parties
Depending on your situation, you may also need to notify:
- Payment card companies and your payment processor if card data was involved
- Cyber insurance provider if you have a policy
- Legal counsel if significant liability is likely
- Law enforcement if data theft is suspected
Step 6 — Remediate and document
Fix the vulnerability that was exploited. Restore systems from clean backups. Update all passwords and credentials. Document everything — what happened, what decisions were made, and why. This documentation is your defence if the ICO investigates.
Step 7 — Review and prevent recurrence
After the immediate crisis is resolved: conduct a root cause analysis, review your security measures, update your incident response plan, and consider whether staff training is needed. Regulators look more favourably on businesses that can demonstrate they learned from a breach.