Protect your business online

Business data breach and theft

Guide

Data breach involves unauthorised access or disclosure of sensitive, confidential or otherwise protected data. This may be personal information (for example regarding health or financial accounts), trade secrets or intellectual property.

Data theft relates to stealing digital information - from an individual or an organisation with the intention to compromise privacy or obtain confidential information. 

Impact of data breach or theft

The exact impact of data breaches or theft may vary depending on the organisation. However, common consequences you will need to consider are:

  • financial loss
  • reputation damage
  • operational disruption
  • monetary penalties (if you fail to comply with data protection laws)

Risks to your data can come from:

  • unauthorised access to your IT systems and networks
  • theft of property or equipment from your premises
  • transporting data externally via unsecure devices
  • failure to follow data protection processes and principles, with or without intent

How to prevent data breach

To protect your business data, you should think about:

  • where and how you store it
  • how you secure it (physically and electronically)
  • who has access to it
  • how is that access facilitated (eg individual devices)

Back up your data

You should back up your important data regularly and store it securely off-site. For added protection, you can use data loss prevention software to:

  • disable USB ports
  • monitor copying of files to storage media
  • prevent users from transferring the data altogether

Read the National Cyber Security's (NCSC) detailed guidance on the importance of backing up your data.

Create an asset register

As part of your security measures, you should create an asset register taking into account all hardware and software, including your server equipment. Determine which assets are at risk from cyber attack and record all the relevant details. Audit the register regularly to ensure that equipment is accounted for, and that the information is safe and secure. 

Dealing with a data breach

If you believe that data has been stolen, or you have been exposed to scam or fraud, you will have to take action to:

  • prevent the data breach from continuing
  • discover the extent of the damage
  • clean up the results

Your incident response will depend on the circumstances. You may need to take specific advice from the police or legal advisors, but generally speaking, you should:

  • report the incident to the relevant authority
  • inform your bank
  • check bank accounts for unexplained transactions
  • check your business for any unexpected changes in its credit condition
  • consider hiring an IT security specialist to investigate the breach
  • consider hiring a specialist to rebuild or replace parts of your IT infrastructure, if necessary

Find out how to develop a cyber security incident response plan.

The NCSC provides detailed resources to help you effectively detect, respond to and resolve cyber incidents. You should consult the following:

You can also use the NCSC's free Check your cyber security service to perform a range of simple online checks to identify common vulnerabilities in your public-facing IT.

The NCSC also offer a free Cyber Action Plan. By answering a few simple questions, you can get a free personalised action plan that lists what you or your organisation can do right now to protect against cyber attack.

Reporting a data breach

As part of managing the incident, you may need to let people or organisations know about the security breach. You may need to notify:

  • the regulators, if the breach is significant or if you've failed to comply with data protection legislation
  • individuals or groups whose personal data has been compromised
  • relevant industry bodies, eg in the financial or telecommunications sector

Different agencies have different remits in terms of investigating and assisting with cases of online fraud, data breaches and cyber crime. Find out how to report a cyber crime.

Under the UK General Data Protection Regulation (UK GDPR), you must report a serious personal data breach to the Information Commissioner's Office if the breach is likely to result in a risk to people's rights and freedoms.