Guide

Report a cyber incident

Emergency response guide for reporting cyber attacks and data breaches. Covers who to contact (Report Fraud, ICO, NCSC, Police Scotland), what information to provide, legal deadlines, and what happens after you report.

Retail & Consumer GoodsProfessional & Financial ServicesTechnology & Digital UK-wide
Under active attack right now?
  1. Disconnect affected systems from the network immediately
  2. Do NOT pay any ransom demands
  3. Report to the NCSC at report.ncsc.gov.uk
  4. Call Report Fraud on 0300 123 2040 (England, Wales, Northern Ireland) or Police Scotland on 101

Then return to this guide for detailed reporting requirements.

When your business experiences a cyber incident, you may need to report it to multiple authorities depending on what happened. Getting this right protects your business legally and helps you recover faster.

This guide covers who to contact, what to report, and when - including the critical 72-hour deadline for data breaches.

Step 1: Identify what type of incident you have

Different incidents require reporting to different authorities. Your incident may fall into one or more categories:

  • Cyber crime (ransomware, hacking, fraud, phishing that resulted in loss) - Report to Report Fraud or Police Scotland
  • Personal data breach (customer or employee data accessed, lost, or stolen) - Report to the ICO within 72 hours if there is risk to individuals
  • Significant cyber attack (affecting critical systems or national infrastructure) - Report to NCSC
  • Suspected phishing email (no breach yet) - Forward to report@phishing.gov.uk

Many incidents require reporting to multiple authorities. For example, a ransomware attack that encrypts customer data should be reported to both Report Fraud (the crime) and the ICO (the data breach).

Step 2: Report cyber crime to the police

All cyber crimes should be reported to help police build intelligence and catch criminals. Even if your individual case is not investigated, your report contributes to the national picture.

What to report to Report Fraud

When you contact Report Fraud (or Police Scotland), be ready to provide:

  • Your business name and contact details
  • When you discovered the incident (date and time)
  • What type of attack occurred (ransomware, business email compromise, invoice fraud, etc.)
  • How the attack happened (if known)
  • Financial losses (actual and potential)
  • Whether you have backups of affected data
  • Any evidence you have (emails, screenshots, ransom notes)

Important: Preserve evidence before attempting recovery. Take screenshots of ransom messages. Do not delete suspicious emails. Keep logs of what happened and when.

What happens after you report

You will receive a crime reference number. Keep this for insurance claims and other reports. Report Fraud passes reports to the National Fraud Intelligence Bureau (NFIB), which analyses patterns and allocates cases to local police forces for investigation where appropriate.

Note: Not every report results in a police investigation. Reports are prioritised based on severity, evidence available, and likelihood of identifying suspects.

Step 3: Report data breaches to the ICO

If the cyber incident involved personal data (names, email addresses, financial information, health data, etc.), you have a separate legal obligation under UK GDPR.

The 72-hour clock

You have 72 hours from when you become aware of a reportable breach to notify the ICO. This means:

  • The clock starts when you have reasonable certainty a breach occurred - not when your investigation is complete
  • Weekends and bank holidays count - the clock does not pause
  • If you cannot gather all information in 72 hours, report what you know and provide updates later

When in doubt, report. The ICO prefers you to report breaches that turn out to be less serious than expected, rather than fail to report serious breaches.

What to include in your ICO report

The ICO's online reporting tool asks for:

  • Your organisation details and Data Protection Officer (if you have one)
  • Nature of the breach (what happened)
  • Categories of personal data affected (names, financial, health, etc.)
  • Approximate number of individuals affected
  • Likely consequences for those individuals
  • Measures taken to address and mitigate the breach

You can submit an initial report with partial information and provide updates as your investigation progresses.

Step 4: Report significant attacks to NCSC

The National Cyber Security Centre (NCSC) is the UK government's technical authority on cyber security. Report to them if:

  • You are under active attack and need technical guidance
  • The attack affects critical national infrastructure or services
  • You have identified a new type of attack or vulnerability
  • The attack is sophisticated or state-sponsored
  • Multiple organisations appear to be targeted

The NCSC does not replace police reporting - report to both if appropriate.

NCSC Cyber Incident Response

For serious incidents, the NCSC maintains a list of Cyber Incident Response (CIR) Assured Service Providers - companies vetted to help organisations respond to and recover from cyber attacks. If you need professional incident response help, use an assured provider.

Step 5: Report phishing attempts

If you receive a suspicious email, text, or website link - but have not clicked on it or been compromised - forward it to the NCSC's Suspicious Email Reporting Service:

  • Suspicious emails: Forward to report@phishing.gov.uk
  • Suspicious text messages: Forward to 7726
  • Suspicious websites: Report at report.ncsc.gov.uk

The NCSC uses these reports to take down malicious websites and warn others. Over 10 million suspicious emails are reported each year.

Sector-specific reporting

Some sectors have additional reporting requirements to their regulators.

PROFESSIONAL & FINANCIAL… Requirement

Financial services firms

FCA and PRA-regulated firms must report material cyber incidents to their regulators in addition to Report Fraud and the ICO.

Follow your firm's existing incident notification procedures for FCA/PRA reporting. Significant incidents affecting customer data or service availability typically require notification within 24-72 hours.

FCA operational resilience guidance
HEALTHCARE & SOCIAL CARE Requirement

NHS organisations and suppliers

NHS organisations designated as Operators of Essential Services under NIS Regulations must report significant incidents to NHS England within 72 hours.

If you handle NHS patient data, also notify your NHS Digital contact and consider Caldicott Guardian involvement for patient confidentiality issues.

NHS Data Security and Protection Toolkit
MANUFACTURING & ENGINEER… Requirement

Operators of Essential Services

If your organisation is designated as an Operator of Essential Services (OES) or Relevant Digital Service Provider (RDSP) under NIS Regulations, you must report incidents with significant impact to your sector regulator within 72 hours.

This is in addition to ICO and police reporting where applicable.

NIS Regulations guidance on GOV.UK

After reporting: what to do next

Reporting is just the first step. After you have notified the relevant authorities:

  1. Keep your reference numbers safe

    You will receive reference numbers from Report Fraud, the ICO, and potentially others. Keep these together - you will need them for insurance claims, follow-up communications, and if authorities contact you.

  2. Notify affected individuals (if required)

    If the ICO breach was high risk, you must notify affected individuals directly. Tell them what happened, what data was affected, what you are doing about it, and what they can do to protect themselves.

  3. Document everything

    Keep a detailed timeline of the incident, your response, and all communications with authorities. This is required under UK GDPR and will help if you face questions later.

  4. Review your insurance

    If you have cyber insurance, notify your insurer as soon as possible. They may provide incident response support and will guide you on making a claim.

  5. Conduct a post-incident review

    Once the immediate crisis is over, review what went wrong and how to prevent it happening again. Update your security measures, policies, and staff training based on lessons learned.

Get help recovering

Beyond reporting, you may need help to recover from a cyber incident:

  • NCSC guidance: Free guidance on responding to specific attack types at ncsc.gov.uk
  • CIR Assured Providers: Vetted incident response companies for professional support
  • Cyber insurance: Your insurer may provide incident response services
  • IT support: Your existing IT provider or an emergency IT specialist

Do not pay ransoms. The NCSC and law enforcement strongly advise against paying ransoms. Payment does not guarantee you will get your data back, funds criminal organisations, and makes you a target for future attacks.

Respond to a ransomware attack

Emergency response guide for ransomware attacks. Covers immediate containment, recovery options, reporting requirements, and ransom payment decisions. For businesses currently under attack or preparing for potential incidents.

Read guide

Cyber security requirements for UK businesses

How to protect your business from cyber threats and comply with UK cyber security requirements. Includes Cyber Essentials certification, data breach notification rules, and sector-specific obligations for financial services and healthcare.

Read guide

Data protection for healthcare providers

How healthcare providers must handle patient data under UK GDPR, including special category health data requirements, Caldicott Principles, the common law duty of confidentiality, and record retention requirements.

Read guide