Incident response

What to do in the first 72 hours after a data breach

The first few hours after discovering a breach shape everything that follows. A clear, calm sequence limits the damage and keeps you on the right side of your obligations.

By Crywex6 min read

Hours 0–4: contain

Your first priority is to stop the situation getting worse without destroying evidence.

  • Isolate affected devices from the network — don't necessarily power them off.
  • Reset credentials for affected accounts and enable MFA if it isn't already on.
  • Preserve logs and take notes of what you see and when.
  • Bring in the right people early: leadership, IT/security support, and if needed, legal.

Want a plain-English view of where your business stands?

Book a free cyber health check

Hours 4–24: assess

Work out what happened and what was affected. What data or systems were involved? Is personal data in scope? Is the attacker still active?

Resist the urge to wipe everything immediately — understanding the scope first helps you recover cleanly and avoid reinfection.

Within 72 hours: report where required

If personal data is affected, UK GDPR may require you to report the breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware, where the breach meets the reporting threshold. Check current ICO guidance for your situation.

You may also have contractual duties to notify clients or partners, and obligations to affected individuals in higher-risk cases.

When in doubt about reporting obligations, take advice early. It's easier to decide not to report than to explain a late one.

Days 1–3: communicate and recover

Communicate honestly and consistently with staff, and with customers where appropriate. Restore from clean backups, confirm the attacker's access is closed, and keep documenting throughout.

Once the immediate incident is under control, hold a short review to capture what happened and what to improve.

Turn this into an action plan

Book a free cyber health check and get a plain-English view of where your business stands.

Book a free cyber health check