How to Report Cybercrime in the UK

Under UK GDPR, you must report a personal data breach to the Information Commissioner's Office within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights. 43% of UK businesses experienced a breach or attack (DSIT 2025), yet many still lack a documented process for meeting this reporting deadline. Late or missing reports can result in regulatory fines on top of the breach costs.

Action Fraud will ask for details of the attack type, when it was discovered, what systems or data were affected, any financial losses, and what evidence you have preserved. Keep logs, screenshots, and emails related to the incident. 85% of businesses that experienced a breach identified phishing as the attack vector (DSIT 2025), so preserving the original phishing email — including full headers — is particularly important for the investigation.

The NCSC should be contacted for significant or ongoing attacks, particularly those involving ransomware, critical infrastructure, or large-scale data compromise. For most routine cybercrime, Action Fraud is the correct first point of contact. Approximately 19,000 UK businesses were hit by ransomware in 2025 (Sophos), and the NCSC can provide technical guidance and threat intelligence for these more serious incidents that Action Fraud cannot.