If your business has just been hacked, do three things now: disconnect the affected devices from the internet and your network, change the passwords on your most important accounts from a separate, clean device, and call your IT provider so someone who knows what they are doing can take over. Then report it. A live attack on a UK business is reported to the police on 0300 123 2040, and if personal data has been exposed you have 72 hours to tell the ICO.
That is the short version. The rest of this page takes it slowly, because the worst decisions in a cyber incident almost always get made in the first panicked hour.
First, stop it spreading (the first 30 minutes)
Right now your job is to stop the attacker reaching anything else, not to fix the whole problem. Speed matters more than being tidy about it.
Disconnect the affected machines from the network. Unplug the network cable and switch off Wi-Fi on anything you think is compromised: the PC showing a ransomware demand, the laptop firing out odd emails, the server behaving strangely. Disconnecting is not the same as switching off, which matters (more on that below).
Do not turn the machine off or wipe it. Powering down can wipe evidence held in memory that helps work out exactly what happened.
Change passwords from a clean device. Grab a phone or a laptop you are confident is unaffected and start with the accounts that hurt most if lost: email (the admin mailbox above all), online banking, Microsoft 365, your domain and web hosting, and your accounting software. Never type a new password into a machine you suspect is compromised - the attacker may be watching the keystrokes.
Call your IT support straight away. The sooner they are in, the more options stay open. If you are a Coffee Cup client, this is exactly what our support line is for.
No IT support to call? The NCSC publishes free small-business guidance and a response toolkit, and the police reporting line below can talk you through the urgent next steps.
Why you must not delete anything yet
The instinct is to make the problem vanish - bin the dodgy emails, reinstall Windows, restore everything in a hurry. Don't. The logs, the files and the current state of the affected machines are the evidence an engineer needs to answer the questions that actually matter:
How did they get in, so you can shut that door rather than leave it propped open?
What did they touch or take? This is what decides whether you have a reportable data breach.
Are they still inside? Restoring on top of an active intruder just hands them a clean system to play with.
That evidence earns its keep in two other ways. Your cyber insurance claim will almost certainly depend on it, and many insurers want notifying before you start fixing anything - call them early or you risk voiding the cover. And if you later need to show the ICO that you handled the breach properly, a clear record of what happened and when is precisely what they will ask to see.
Who to report a hack to in the UK
There is no single hotline that covers everything, which is why owners so often miss a step. Here is who to contact, and when.
The police (Action Fraud / Report Fraud)
For a live attack that is still affecting your systems, call the national fraud and cyber crime line on 0300 123 2040. It is staffed 24 hours a day, seven days a week, with specialist advisers for businesses, charities and other organisations, and there is a direct option for an in-progress cyber incident. (The service that most people still know as Action Fraud relaunched as Report Fraud over the winter of 2025, but the number is unchanged.) If you are reporting after the event rather than during it, you can use the online service at reportfraud.police.uk. In Scotland, report to Police Scotland on 101. Reporting gives you a crime reference number, which your insurer and bank will usually want.
The ICO (if personal data is involved)
Under UK GDPR and the Data Protection Act 2018, if the breach involves personal data and is likely to pose a risk to people - identity theft, fraud, real distress - you must report it to the Information Commissioner's Office within 72 hours of becoming aware of it. The clock starts when you become aware, not when you finish investigating, and you can report what you know now and fill in the gaps later. Where the risk to people is high, you also have to tell the affected individuals directly. Keep a written record of every breach and your reasoning, even the ones you decide do not meet the bar to report - the ICO can ask for that too.
NCSC (national guidance and serious incidents)
The National Cyber Security Centre is the UK's technical authority on this. It does not run a day-to-day helpline for small firms, but its website has clear, trustworthy advice, and significant incidents can be reported at ncsc.gov.uk/report. Its small-business and ransomware guidance is some of the best free material going, and it is genuinely written for people who are not specialists.
Tell everyone else who could be affected
Once the immediate fire is out, work outwards from whoever could lose money or data because of this.
Your bank. If money has moved, or card or banking details were exposed, ring them at once - acting fast gives the best chance of recalling a fraudulent payment.
Your cyber insurer. Notify them early. Many policies come with an incident response team you can call, and many require you to tell them before you start putting things right.
Customers and suppliers. If their data was exposed, or attackers are emailing them from your hacked account, a quick and honest heads-up protects both the relationship and their security. Tell them what happened, what it means for them, and what to watch for - a change-of-bank-details email being the classic one to ignore.
Your staff. Make sure the team knows the account is compromised, so nobody acts on a fraudulent instruction sent in your name.
Getting back up and running
Recovery should only start once you, or your IT provider, are confident you understand the attack and the intruder is genuinely out. Broadly, it goes like this:
Restore from a known-clean backup taken before the compromise. This is where an offline or immutable backup pays for itself - ransomware deliberately hunts down and encrypts any backup connected to the network.
Reset every credential that could have been exposed, not just the obvious ones. Treat any password saved on a compromised machine as already gone.
Re-establish multi-factor authentication. If MFA was bypassed, or the attacker registered their own device, strip out their access and re-enrol everyone from scratch.
Patch and close the way in before you reconnect anything, whether that was a vulnerable system, a reused password or a phishing email someone clicked.
The best time to prepare was last month
Nearly everything that makes an incident shorter and cheaper is decided beforehand. Two things matter most. The first is tested, offline backups - a backup you have never restored is a hope rather than a plan, and one left permanently connected to your network can be encrypted along with everything else. The second is a simple written incident response plan: a single page with the right phone numbers, who makes which decisions, and the first steps above, so nobody is googling "my business has been hacked" at 2am with the clock already running.
We help businesses across Berkshire and the Thames Valley get this right before anything goes wrong - sound backups, sensible defences and a plan you can actually follow - and we are on the end of the phone if the worst does happen. If you would like us to look over your current setup, or you are dealing with an incident right now, get in touch with the team.