Most people picture a data breach as a single dramatic moment: a hacker, a progress bar, an alarm. The reality for a UK business is slower, messier and more procedural than that, and understanding the real sequence, technical, legal and human, is what lets you respond well instead of panicking. This walks through what genuinely happens from the first intrusion to the aftermath, including the UK-specific legal duties that catch many organisations off guard.
What counts as a data breach
First, a definition, because the word is used loosely. Under UK data protection law a personal data breach is broader than "hackers stole our data". It is any security incident leading to personal data being lost, destroyed, altered, disclosed or accessed without authorisation, whether deliberate or accidental. A laptop left on a train, an email sent to the wrong client list, or a misconfigured cloud folder are all breaches in the legal sense, not just the headline-grabbing hacks.
This matters because it widens your obligations considerably. Many UK businesses assume the rules only bite if a criminal is involved, then discover that a careless internal mistake triggers exactly the same legal duties. The cause does not change whether it is a breach; only the access and the data do.
The intrusion is slow and quiet
Where a criminal is involved, the popular image of an instant smash-and-grab is almost always wrong. Attackers typically get in through something mundane, a phished password, an unpatched system, a reused credential, and then move quietly. There is usually a long, silent period, often weeks, where they explore the network, escalate their access, identify the valuable data and, increasingly, locate and disable the backups so you cannot simply recover.
This 'dwell time' is the part businesses least expect and most regret, because it is the window where the damage is set up before anything visible happens. By the time you see the ransom note or the alarm, the attacker has usually been inside far longer than the moment of discovery suggests. It is also why behavioural detection matters so much: catching the quiet exploration is what prevents the loud finale, the logic behind EDR rather than plain antivirus.
Discovery, containment and the 72-hour clock
Discovery is rarely tidy. You might be alerted by your own security tooling, by a customer noticing something wrong, by your systems suddenly being encrypted, or by a regulator or bank telling you. The immediate priority is containment: stopping the bleeding by isolating affected systems, revoking compromised access and preserving evidence, ideally following a plan rehearsed in advance rather than improvised under stress.
Then the UK-specific clock starts. If the breach involves personal data and poses a risk to people, you generally must report it to the Information Commissioner's Office within 72 hours of becoming aware of it, and if the risk to individuals is high you must also tell the affected people. Seventy-two hours is far less time than it sounds once you are also trying to contain an active incident, which is precisely why having an incident response plan ready beforehand is worth so much. We cover that readiness in our incident response service.
- •A breach is any unauthorised access, loss or disclosure of personal data, accidental or deliberate
- •Criminal intrusions usually involve weeks of quiet activity before discovery
- •Containment comes first: isolate, revoke access, preserve evidence
- •UK rules give you roughly 72 hours to report a risky breach to the ICO
The aftermath: cost, law and reputation
The visible attack is often the cheaper part of a breach. The aftermath is where the real cost lands: investigating exactly what was taken (which is harder and slower than people expect), rebuilding or restoring systems, notifying customers, fielding their questions, and managing the reputational hit. For regulated UK businesses there may be formal investigations, and the ICO can impose significant fines, though in practice it weighs how seriously you took your obligations and how well you responded.
There is a hard truth here that shapes good preparation: regulators and customers judge you far less on the fact that you were breached, which can happen to anyone, and far more on whether you had taken reasonable precautions and whether you handled it competently. A business that had sensible controls, a tested plan and an honest, prompt response fares dramatically better, legally and reputationally, than one that was negligent and then floundered. We touch on the data protection duties in detail in UK GDPR for IT teams.
Why this is getting harder in 2026
Two trends are making breaches both more likely and more damaging, and they are worth naming. The first is double extortion: ransomware gangs no longer just encrypt your data, they steal a copy first and threaten to publish it, so even a flawless backup-led recovery does not stop them leaking your customers' information. The second is the industrialisation of attacks, with phishing and intrusion tooling sold as polished services and increasingly assisted by AI, which lowers the skill needed to mount a convincing attack and raises the volume.
Neither trend changes the fundamentals, which is the reassuring part. The same boring, effective precautions, multi-factor authentication, staff awareness, behavioural endpoint protection, immutable backups and a rehearsed response plan, remain what separates a contained incident from a business-ending one. Our ransomware protection and managed detection and response services are built around exactly that defence-in-depth, and the worst outcomes almost always trace back to a precaution that was skipped.