Emergency Help Security Review
HomeSecurity AuditSecurity ProtectionHacked Site RecoveryMalware RemovalSecurity RetainerSecure HostingPricingCase StudiesBlogAbout UsRequest Security Review
Guides

Do You Need to Report a Hacked Website to the ICO?

By WebAdish

A hacked website is not automatically an ICO-reportable breach. But if personal data may have been exposed, UK businesses may have reporting obligations within 72 hours of becoming aware.

Key Takeaways
  • A website hack is not automatically an ICO-reportable event, but any likely personal data exposure changes the picture quickly.
  • The 72-hour reporting window starts when the organisation becomes aware with reasonable certainty that a personal data breach occurred.
  • Fast technical investigation matters because breach decisions depend on what systems, data, and user records were actually exposed.
  • WordPress businesses should prepare incident logging, evidence preservation, and escalation workflows before an incident happens.

The short answer

Not every hacked website must be reported to the ICO. But every hacked website should be assessed quickly to determine whether a personal data breach has occurred. If personal data may have been exposed, altered, stolen, or made unavailable in a way that creates a risk to individuals, the ICO expects notification without undue delay and, where feasible, within 72 hours of awareness.

This is where many UK businesses get stuck. They know the website is compromised, but they do not yet know whether customer, lead, staff, or account data was accessed. The technical investigation is what supports the reporting decision.

What the ICO actually cares about

The ICO’s threshold is not “your website was hacked.” The threshold is whether the incident created a risk to the rights and freedoms of individuals because personal data was affected. That means the practical questions become:

  • Did the attacker access or export personal data from the site, CRM, or connected services?
  • Did contact forms, customer records, or user account data become accessible?
  • Did malware alter the integrity or availability of personal data?
  • Can you confidently rule out data exposure, or are there gaps in visibility?

If your WordPress site stores enquiry forms, WooCommerce customer records, user accounts, or marketing data, a hack is not just a website issue. It can become a data-protection incident very quickly.

Examples that often trigger deeper review

  • Attackers create new admin accounts and browse customer or lead data.
  • Form plugins store submissions in the WordPress database and the site is compromised.
  • WooCommerce or membership data may have been accessed.
  • Attackers install backdoors and maintain access for an unknown period.
  • Hosting, email, or control-panel credentials are compromised alongside the site.

In all of these cases, you should assume the need for a structured incident review rather than a simple cosmetic cleanup.

What the 72-hour rule really means

The ICO states that organisations must report a notifiable personal data breach without undue delay and, where feasible, within 72 hours of becoming aware. That does not mean you need every fact in hand before you act. It means you need enough certainty to recognise that a personal data breach has likely occurred, then escalate quickly.

For WordPress businesses, that makes incident triage and forensic reviewmuch more than a technical exercise. Without logs, access review, file integrity review, and evidence preservation, you may not be able to tell what happened in time to make a good reporting decision.

Why cheap cleanup creates regulatory risk

A cheap malware cleanup often focuses on visible symptoms: malicious files removed, homepage restored, maybe a plugin scan run. That does not answer the questions that matter for a breach assessment:

  • How did the attacker get in?
  • How long were they inside?
  • What data or admin surfaces could they access?
  • Were form records, customer records, or integrations exposed?

If you cannot answer those questions, you may have a reporting problem as well as a security problem. This is why post-hack forensic review matters for UK businesses that process personal data.

What to do in the first 24 hours

  1. Contain the incident carefully. Preserve evidence before making destructive changes where possible.
  2. Identify what systems touch personal data. Forms, WooCommerce, CRMs, email tools, and user accounts all matter.
  3. Review logs and access. Look for suspicious users, plugin abuse, hosting access, cron activity, and outbound data indicators.
  4. Escalate internally. Bring in whoever owns legal, compliance, customer communication, and technical response.
  5. Document what you know. Even partial clarity is better than guessing later under pressure.

How WebAdish helps

WebAdish is not a law firm, and we do not replace your legal decision-maker. What we do provide is the technical side of the response: investigation, evidence-aware recovery, root-cause review, access cleanup, and a clearer picture of whether data exposure is plausible. That makes it easier for your internal team or advisor to make the right reporting decision quickly.

If your site is already compromised, start with our hacked website recovery UK service. If you want to reduce risk before an incident happens, a security retainer gives you faster detection, cleaner logs, and a better response posture.

Frequently Asked Questions

Does every hacked website need to be reported to the ICO?

No. A hack does not automatically mean a report is required. The key question is whether a personal data breach has occurred and whether it is likely to result in a risk to individuals’ rights and freedoms. If so, the ICO expects notification without undue delay and, where feasible, within 72 hours.

What counts as a personal data breach on a WordPress site?

A personal data breach can include unauthorised access to customer or lead data, exposure of form submissions, leaked account data, malware that gives access to stored personal information, or attacker access to systems containing personal data. A simple defacement with no data exposure may not be notifiable, but it still requires investigation.

When does the 72-hour timer start?

The clock starts when you become aware of the breach with a reasonable degree of certainty, not when the attacker first gained access. This is why fast detection, logging, and incident review matter so much.

Can WebAdish decide whether we must report to the ICO?

WebAdish helps with the technical investigation, evidence preservation, breach-readiness, and incident summary. Final legal and regulatory reporting decisions should involve your internal leadership, legal advisor, or data protection lead.

Related Recovery Resources

If this article is part of an active incident, use these core pages next.

Hacked Website Recovery UKWordPress Malware RemovalWhy Sites Keep Getting Hacked

Need Help With WordPress Security?

Get a professional security audit or speak to our team about protecting your WordPress site.

Request a Security Review
Chat with us