Your Data's Been Breached. Here's Exactly What To Do.
Whether a password has leaked, an account's been taken over, or your organisation has suffered a breach — the first hours matter. This is a clear, comprehensive UK playbook for individuals and businesses, including when you must report to the ICO.
General information, not legal advice. UK processes and figures were reviewed in June 2026 — always check the linked official sources, which take precedence.
How Credentials Get Stolen
Most account takeovers start in one of four ways. Knowing which one you're facing shapes your response.
Infostealer Malware
Malware on a device silently lifts every saved password, session cookie and autofill entry from the browser in seconds, then sends them to criminals. The device itself is compromised — not just one account.
Third-Party Breaches
A company you have an account with is hacked and its user database is stolen. Your password is exposed even though you did nothing wrong — and reused passwords put your other accounts at risk too.
Phishing & Fake Logins
A convincing email or text lures you to a fake login page that captures your username, password and even your two-factor code as you type them.
Combolists & Credential Stuffing
Old breached credentials are bundled into huge lists and fired at login pages by automated tools. If you've reused a password, one old leak can unlock many current accounts.
Signs You've Been Compromised
Act if you notice any of these — don't wait for confirmation.
Unexpected login alerts
Sign-in alerts, password resets or 2FA prompts you didn't trigger.
Locked out of an account
Your password stops working, or your recovery email and phone were changed without you.
Activity you don't recognise
Messages, purchases, new payees or posts that aren't yours.
If This Happened To You: Do This Now
Work through these in order. The first three stop the bleeding; the rest limit the damage and help others.
Change the important accounts first — email, then banking, then anything that reuses the same password. Your email is the master key: whoever controls it can reset everything else.
If the leak came from malware on your device, clean the device before changing passwords. Resetting a password from an infected machine simply hands the attacker the new one. Run a reputable antivirus scan, or have the device professionally checked, first.
1.Change the exposed password — and any reuse
Set a new, unique password on the affected account and on every other account that shared it. Three random words make a strong, memorable password; better still, let a password manager generate and store them.
2.Turn on two-factor authentication
Add 2FA to email, banking and social accounts first. Prefer an authenticator app or hardware key over SMS, which is vulnerable to SIM-swap attacks. Where offered, switch to passkeys — there's no password left to steal.
3.Check your device for malware
If your saved passwords leaked, treat the device as suspect. Run a full antivirus scan and apply all updates. Until it's clean, assume anything you type is being captured.
4.Sign out everywhere
In each affected account's security settings, revoke active sessions and 'sign out of all devices'. Stolen session cookies can keep an attacker logged in even after a password change — this closes that door.
5.Watch for fraud and follow-up scams
Expect targeted phishing after a breach — criminals know what you use. Your bank will never ask for full passwords or codes. Check statements and report anything unfamiliar to your bank immediately; you may be entitled to reimbursement for fraudulent payments.
6.Protect your identity
Check your credit reports with the UK credit reference agencies for accounts you didn't open. If you're worried about identity fraud, a CIFAS Protective Registration (£30 for two years) flags your details so member organisations apply extra checks — it doesn't affect your credit score.
7.Report it
In England, Wales and Northern Ireland, report fraud and cyber crime to Report Fraud (the City of London Police service that replaced Action Fraud) online or on 0300 123 2040. In Scotland, contact Police Scotland on 101. Report scam texts to 7726 and scam emails to [email protected].
8.Complain to the ICO about the organisation
If a company mishandled your personal data, raise it with them first. If they don't put it right, you can complain to the Information Commissioner's Office. The ICO can't award you compensation, but you can claim that separately from the organisation.
If Your Organisation Was Breached
If you hold other people's personal data, a breach brings legal duties under UK GDPR. Move fast and document everything.
1.Contain it
Stop the breach spreading: isolate affected systems, revoke compromised credentials and sessions, force password resets, and preserve logs and evidence before anything is wiped.
2.Assess the risk
Establish what data was involved, how many people are affected, and the likely impact on them. This risk assessment decides whether you must notify the ICO and the individuals.
3.Report to the ICO within 72 hours
If the breach is likely to result in a risk to people's rights and freedoms, you must notify the ICO without undue delay — and no later than 72 hours after becoming aware. See the rule in detail below.
4.Tell affected individuals
If the breach is likely to result in a high risk to people, you must inform them without undue delay, in plain language, with practical steps they can take to protect themselves.
5.Report the crime and get support
Report cyber crime to Report Fraud (or Police Scotland on 101). The NCSC offers guidance and support for organisations, and you may have sector-specific regulators (such as the FCA) to notify as well.
6.Record everything
You must document all personal data breaches — including ones you decide not to report — with the facts, effects and remedial action. The ICO can ask to see these records.
The 72-Hour Rule (UK GDPR Article 33)
You must report a notifiable personal data breach to the ICO without undue delay and within 72 hours of becoming aware of it. If you take longer, you must explain why.
When you must report: Report unless the breach is unlikely to result in a risk to people's rights and freedoms. If in doubt, the ICO advises you to report it.
What your report must include: What happened and when; the categories and approximate number of people and records affected; the likely consequences; the measures you've taken or propose to take; and a contact point (your DPO, if you have one). You can report in phases if you don't have everything within 72 hours.
Telling the people affected: Separately, if the breach is likely to result in a high risk to individuals, you must also tell them directly and without undue delay (Article 34).
Why it matters: Failing to notify when required can attract a fine of up to £8.7 million or 2% of global annual turnover. The most serious infringements can reach £17.5 million or 4%.
Report a breach to the ICOCatch the next one before it's a breach
Most breaches begin with credentials stolen months earlier. DarkStrata monitors your domains for exposed employee logins across infostealer logs, breaches and criminal marketplaces — so you can act on them before they ever become a 72-hour notification.
Start your free trialScenario Playbooks
Quick guidance for the most common situations.
A single password leaked
Change it now, and change it anywhere you reused it. Turn on 2FA. If only a scrambled (hashed) copy leaked, enabling 2FA usually closes the risk entirely.
You're in a company's breach
Confirm via the company's official website — not links in the email. Change that account's password and any reuse, enable 2FA, and watch for breach-themed phishing in the following weeks.
Your device was infected
Clean the device first, then change every saved password from a clean device, and sign out of all sessions everywhere. Assume everything stored in the browser was taken.
Logged in despite a password change
Stolen session cookies bypass passwords and even MFA. Use 'sign out of all devices' on each account to invalidate active sessions, then change the password again from a clean device.
Stay Safer From Here
A few habits prevent most account takeovers.
Unique password per account
Reuse is what turns one leak into many. A password manager generates and remembers a different strong password for every account so you don't have to.
Use passkeys where offered
Passkeys replace passwords with a key held by your device and unlocked by your fingerprint or face. There's nothing to leak, reuse or phish, and they only work on the genuine site.
Two-factor everywhere that matters
Turn on 2FA for email, banking and social first. Prefer an authenticator app or hardware key over SMS, and keep your backup codes somewhere offline.
Where To Get Help (UK)
Official sources for reporting and advice.
Frequently Asked Questions
The questions people ask most after a breach.
Do I have to report a data breach to the ICO?
If you're an organisation and a personal data breach is likely to result in a risk to people's rights and freedoms, yes — within 72 hours of becoming aware. If it's unlikely to result in a risk, you don't report it, but you must still record it. If in doubt, the ICO advises reporting.
What is the 72-hour rule?
Under UK GDPR Article 33, an organisation must notify the ICO of a notifiable breach without undue delay and no later than 72 hours after becoming aware of it. You can report in phases if the full picture isn't clear yet, and you must explain any delay beyond 72 hours.
I'm an individual — do I report a breach to the ICO myself?
The 72-hour duty falls on the organisation that lost your data, not on you. As an individual you can complain to the ICO about how an organisation handled your data (after raising it with them first), and report any resulting fraud to Report Fraud, or Police Scotland in Scotland.
How do I check if my password or email has been leaked?
Use a reputable breach-checking tool such as Have I Been Pwned to see if your email appears in known breaches. If it does, change the password on that account and anywhere you reused it, and turn on two-factor authentication.
Only a 'hashed' password was leaked — am I safe?
A hash is a scrambled version of your password, not the password itself, so it's lower risk — especially if it was strong and unique. Still change it to be safe, and turning on two-factor authentication usually closes the risk entirely.
Someone got in even though I have MFA — how?
Attackers can steal session cookies (often via infostealer malware), which represent an already-authenticated session and bypass both your password and MFA. Use 'sign out of all devices' to invalidate active sessions, then change your password from a clean device.
Find Out What's Already Exposed
DarkStrata monitors infostealer logs, breaches and criminal marketplaces for your credentials — so you can act before attackers do.