How to respond to a data breach

In the UK the average cost of a data breach has grown to over £2.5 million and the reputational harm a breach does to a business can be even worse.

A data breach is a security incident in which information is accessed without authorisation. In the last few years millions of personal details have been stolen. Organisations targeted and breached include; British Airways, Yahoo, Facebook, Dixons Carphone, Marriot Hotels, eBay, Equifax and Travelex.

Information involved in a data breach usually consists of:

  • Sensitive business data: Information that could impact the reputation or profitability.
  • Financial information: Customer bank details, debit or credit card information.
  • Personally Identifiable Information (PII): Examples include full name, National Insurance number, bank account number or email address.
  • Protected Health Information (PHI): Medical information that identifies an individual.

How to respond to a breach:

  • Determine the scale of the breach: What data and how many records were compromised.
  • How was the data exposed: Trace the path of the attacker, did they move from one system to another? Police cybercrime units can offer expert advice – ask for support.
  • Document everything: Who, what, when and why is needed for external agencies but, committing pen to paper will also identify the next logical steps and support a response to future incidents by identifying the appropriate corrective actions.
  • Isolate compromised systems: Once isolated, attempt to sanitise them. If an application vulnerability is being exploited, take the application offline. If a malicious insider has leaked information, cut off their access to the organisation’s network.
  • Instigate business continuity plan. Determine what critical processes must take place and the data these processes need. Have work-arounds been planned out in advance?
  • Never underestimate how long an attacker has been entrenched in your systems and what damage may be done.
  • Never log into an infected machine with administrative credentials or plug in your backup.


  • Breaches need to be reported to the Information Commissioner’s Office (ICO) and to individuals if they pose a ‘high risk’. Risk refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.
  • You must notify the ICO within 72 hours and affected individuals without ‘undue delay’.
  • If a crime has been committed, contact Action Fraud.
  • If your organisation is affected by industry regulations, other 3rd parties might need informing, seek legal advice if in doubt.
  • Determine ways for affected individuals, third parties and the media to make contact.

Security is a major concern for all businesses and creating a secure IT environment should be at the top of any business agenda. For more information about how TiG Data Intelligence can help your business take a look at the Guardian page or contact us.

Related insights

Nothing found.

Enabling specialist UK businesses to unleash their true potential.

Get in touch