What To Do If Your Irish Business Has Been Hacked
Stability Team | 5 May 2026 | 10 min read
A practical guide to what Irish businesses should do when they suspect a security breach. Covers the immediate steps, your legal obligations under GDPR, how to report to the DPC, and how to protect yourself before it happens.
## It Happened. Now What?
There is a moment, usually on a Tuesday morning or a Friday afternoon, when someone in the business realises something is not right. Files will not open. Email is behaving strangely. A message appears on screen demanding payment. Or a supplier calls to say they received an invoice with the wrong bank details.
This may come across as slightly paranoid, but that is part of the job. We have seen these things happen to real businesses, and when you have been on the other end of those phone calls enough times, you learn to take every warning sign seriously. Being cautious is not the same as being dramatic. It is being prepared.
That moment is when everything changes. What you do next, and how quickly you do it, will determine whether this becomes a manageable incident or a serious crisis.
This article is a practical guide to what Irish businesses should do when they suspect a security breach. It covers the immediate steps, the legal requirements under Irish law, and the longer term actions that will help you recover and prevent it from happening again.
## Step 1: Contact Your IT Provider
If you have a managed IT provider, call them immediately. Do not email. Do not submit a ticket. Pick up the phone.
Your IT provider will have tools already deployed on your systems, both on your devices and in the cloud, that can help identify and contain the threat quickly. Endpoint Detection and Response (EDR) tools can isolate a compromised device in seconds. Identity Threat Detection and Response (ITDR) tools can detect if someone has gained access to your accounts and shut them down before further damage is done.
This is where the relationship with your IT partner matters most. A good provider will already have the visibility and access needed to act fast.
If you do not have an IT provider, you need to take immediate action yourself.
## Step 2: If You Do Not Have an IT Provider
Disconnect the affected devices from the internet. Do not turn them off, as this can destroy evidence that may be needed later, but remove them from the network by unplugging the ethernet cable or disabling Wi-Fi.
Then, as quickly as possible, take the following steps from a device you trust, ideally a personal phone or a device that was not connected to the same network:
- Reset passwords for all business email accounts, starting with any account you suspect has been compromised
- Ensure multi-factor authentication (MFA) is enabled and working on every account. If it was not already in place, set it up now
- If your email or cloud platform allows you to sign out all active sessions, do this immediately. In Microsoft 365, this can be done from the admin centre
- Change passwords for any cloud services your business uses, particularly those connected to financial information
Do not assume the problem is limited to one device or one account. If an attacker has access to your email, they may have been watching your communications for days or weeks before acting.
## Step 3: Assess What Has Happened
Once the immediate threat is contained, you need to understand the scope of the incident. This means establishing what systems were affected, what data may have been accessed or stolen, and how the attacker got in.
If you have an IT provider, they will lead this process using forensic tools and system logs. If you do not, you should consider engaging a specialist incident response company. Attempting to investigate a breach without the right expertise can inadvertently destroy evidence or miss the full extent of the compromise.
Common findings during this stage include email accounts that have been accessed by an external party, Outlook rules set up to hide or redirect emails from specific contacts, data that has been encrypted by ransomware, or evidence that an attacker has been present in the system for an extended period before taking action.
## What We See When We Take on New Customers
We regularly take on new customers and, as soon as we deploy our security tools, discover that the business has already been compromised. In some cases, the compromise is still active.
The most common findings are email accounts that have been accessed by someone outside the organisation, and Outlook rules that have been quietly set up to intercept and hide emails from specific suppliers or contacts. In one case, a customer came to us after a significant financial loss. Their email had been accessed and invoices had been altered to show different bank details. A large payment was made to a fraudulent account before anyone noticed.
In another case, a customer had suffered a ransomware attack that encrypted all of their data, including their backups. The backups were stored locally on USB hard drives connected to the same network. They never managed to recover all of their data. We were able to piece together what we could from other locations, remove the threat, put proper security controls in place, and get the business operational again within a few days. But the data loss was permanent.
These are not unusual situations. They happen to ordinary Irish businesses of every size.
## The Damage You Do Not See Immediately
Financial loss is the most obvious consequence of a breach, but it is not always the most damaging in the long term. Reputational damage can be far harder to recover from than any direct financial cost.
When clients learn that their personal data has been compromised, or that invoices were intercepted because your email was not secure, trust is damaged in a way that takes a long time to rebuild. Some clients will leave. Others will stay but view your business differently. Prospective clients who hear about the incident may choose a competitor instead.
For businesses in professional services, healthcare, legal, or financial sectors, where trust and confidentiality are central to the relationship, a breach can fundamentally change how the market sees you. The financial cost of the breach itself may be recoverable. The reputational cost often is not.
This is not said to cause alarm. It is said because it reinforces why preparation and speed of response matter so much. A business that responds quickly, communicates transparently, and demonstrates that it has taken the incident seriously will recover its reputation far faster than one that tries to minimise or conceal what happened.
## The HSE: A Reminder That Nobody Is Too Big or Too Small
In May 2021, the Health Service Executive suffered the most significant cyberattack in the history of the Irish state. A phishing email containing a malicious Excel file was sent to an HSE employee on 16 March 2021. The attackers, a Russian criminal group known as Wizard Spider, then spent eight weeks inside the HSE network before deploying Conti ransomware on 14 May.
The result was devastating. Eighty percent of the HSE's IT infrastructure was encrypted. Hospitals reverted to pen and paper. Cancer and stroke services were disrupted. Patient data for hundreds of thousands of individuals was compromised. It took four months to fully recover, and the estimated cost exceeded one hundred million euro. The HSE is now facing over four hundred data protection lawsuits.
The HSE attack is often discussed as though it only applies to large organisations with complex IT systems. But the attack started with a single phishing email opened by a single employee. The tools used by the attackers are the same tools used against businesses of every size across Ireland.
A common misconception among smaller businesses is that they are not worth targeting. The reality is the opposite. Attackers target smaller organisations precisely because they tend to have fewer protections in place. If they can extract a ransom payment, redirect a bank transfer, or use your systems as a stepping stone to a larger target, they will.
Size does not determine whether you are a target. Opportunity does.
## Your Legal Obligations Under Irish Law
Under the General Data Protection Regulation (GDPR), if your business experiences a personal data breach, you have specific legal obligations.
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This covers a wide range of incidents, from a ransomware attack that encrypts customer records to an employee accidentally sending personal information to the wrong recipient.
If the breach presents a risk to the individuals whose data is affected, you are required to report it to the Data Protection Commission (DPC) within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to those individuals, you must also notify them directly without undue delay.
Even if you determine that the breach does not present a risk, you are still required to keep an internal record of the incident, including the details of the breach, how you assessed the risk, who made the decision, and the risk rating you assigned.
Our recommendation is to report to the DPC within the 72-hour window even if you do not yet have all the details. Having an open case with the DPC and keeping them updated as your investigation progresses demonstrates good faith and can work significantly in your favour if the matter escalates.
The DPC provides a practical guide to breach notification on their website at dataprotection.ie.
## The Cheat Sheet: What To Do If You Have Been Breached
**Step 1: Do not panic.** A clear head makes better decisions than a panicked one.
**Step 2: Call your IT provider.** If you have one, this is the single most important call you will make. They can begin containment immediately using tools already on your systems.
**Step 3: Disconnect affected devices from the network.** Do not turn them off. Unplug the cable or disable Wi-Fi.
**Step 4: Reset passwords and enforce MFA.** Start with the accounts most likely to be compromised. Sign out all active sessions where possible.
**Step 5: Assess the scope.** Work with your IT provider or an incident response specialist to understand what happened, what was accessed, and how the attacker got in.
**Step 6: Notify the DPC within 72 hours** if personal data has been affected and there is a risk to individuals. You can update the report as your investigation continues.
**Step 7: Notify affected individuals** if the breach is likely to result in a high risk to them.
**Step 8: Preserve evidence.** Do not wipe or rebuild systems until your IT provider or forensic team has completed their analysis.
**Step 9: Review and strengthen your defences.** Once the incident is resolved, conduct a thorough review of what failed and what needs to change.
**Step 10: Document everything.** Keep detailed records of the incident, your response, and the decisions made. This is both a legal requirement and good practice.
## How to Protect Yourself Before It Happens
The best time to prepare for a breach is before it happens.
Endpoint Detection and Response (EDR) tools monitor your devices for suspicious behaviour and can isolate a threat before it spreads. Identity Threat Detection and Response (ITDR) protects your user accounts and can detect when credentials have been compromised. Tools like ThreatLocker control what software is allowed to run on your systems, preventing unauthorised programs from executing. These tools work together to make it significantly harder for an attacker to gain a foothold and move through your environment.
There is no shortage of security tools on the market, and different IT companies favour different products for different reasons. We choose the tools that allow us to sleep at night. The ones that mean we do not have to worry about a bad actor causing problems for our customers, because although we know it is not impossible, we are going to make it as difficult as we can for them.
Backup is your last line of defence. If everything else fails, a good backup means you can recover. But the quality of your backup matters enormously. A backup on a USB drive plugged into the same network as your systems is not a backup. It is a target.
A proper backup strategy involves cloud-based backup with versioning, so you can roll back to a point before the attack. It should run at least once a day, ideally more frequently for critical data, and the retention period should be long enough that you can recover even if the breach went undetected for weeks. Where possible, backups should be stored in a way that an attacker who has access to your network cannot reach them.
We regularly test and evaluate the tools on the market to ensure we are using the best options available. Security is not something you set up once and forget. It requires ongoing attention, regular review, and a willingness to adapt as threats evolve.
## Cyber Insurance: Worth Having, But Not a Substitute
Cyber insurance is increasingly common among Irish businesses and, for many, it is a sensible investment. A good policy can cover the costs of incident response, forensic investigation, legal fees, regulatory fines, and even business interruption losses following a breach.
However, it is important to understand that insurers are not offering these policies blindly. Most cyber insurance providers now require businesses to demonstrate a baseline level of security before they will offer cover. This typically includes multi-factor authentication on all accounts, endpoint protection, regular backup with offsite or cloud storage, and evidence of staff security awareness training.
If your business does not meet these requirements, you may find it difficult to obtain cover, or the premiums may be prohibitively expensive. In some cases, a claim can be denied if the insurer determines that the business failed to maintain the security standards it agreed to when taking out the policy.
Cyber insurance works best as a complement to a strong security posture, not as a replacement for one. The businesses that benefit most from cyber insurance are the ones that are least likely to need it, because they have already invested in the protections that reduce the risk in the first place.
## Final Thought
A security breach is not the end of the world. Businesses recover from them every day. But the difference between a business that recovers well and one that does not usually comes down to preparation, speed of response, and having the right support in place.
If you are unsure about your current position, or if you would like to talk through what a proper incident response plan looks like for your business, we are happy to have a straightforward conversation. No sales pitch, just an honest assessment of where you stand and what, if anything, needs to change.
There is a moment, usually on a Tuesday morning or a Friday afternoon, when someone in the business realises something is not right. Files will not open. Email is behaving strangely. A message appears on screen demanding payment. Or a supplier calls to say they received an invoice with the wrong bank details.
This may come across as slightly paranoid, but that is part of the job. We have seen these things happen to real businesses, and when you have been on the other end of those phone calls enough times, you learn to take every warning sign seriously. Being cautious is not the same as being dramatic. It is being prepared.
That moment is when everything changes. What you do next, and how quickly you do it, will determine whether this becomes a manageable incident or a serious crisis.
This article is a practical guide to what Irish businesses should do when they suspect a security breach. It covers the immediate steps, the legal requirements under Irish law, and the longer term actions that will help you recover and prevent it from happening again.
## Step 1: Contact Your IT Provider
If you have a managed IT provider, call them immediately. Do not email. Do not submit a ticket. Pick up the phone.
Your IT provider will have tools already deployed on your systems, both on your devices and in the cloud, that can help identify and contain the threat quickly. Endpoint Detection and Response (EDR) tools can isolate a compromised device in seconds. Identity Threat Detection and Response (ITDR) tools can detect if someone has gained access to your accounts and shut them down before further damage is done.
This is where the relationship with your IT partner matters most. A good provider will already have the visibility and access needed to act fast.
If you do not have an IT provider, you need to take immediate action yourself.
## Step 2: If You Do Not Have an IT Provider
Disconnect the affected devices from the internet. Do not turn them off, as this can destroy evidence that may be needed later, but remove them from the network by unplugging the ethernet cable or disabling Wi-Fi.
Then, as quickly as possible, take the following steps from a device you trust, ideally a personal phone or a device that was not connected to the same network:
- Reset passwords for all business email accounts, starting with any account you suspect has been compromised
- Ensure multi-factor authentication (MFA) is enabled and working on every account. If it was not already in place, set it up now
- If your email or cloud platform allows you to sign out all active sessions, do this immediately. In Microsoft 365, this can be done from the admin centre
- Change passwords for any cloud services your business uses, particularly those connected to financial information
Do not assume the problem is limited to one device or one account. If an attacker has access to your email, they may have been watching your communications for days or weeks before acting.
## Step 3: Assess What Has Happened
Once the immediate threat is contained, you need to understand the scope of the incident. This means establishing what systems were affected, what data may have been accessed or stolen, and how the attacker got in.
If you have an IT provider, they will lead this process using forensic tools and system logs. If you do not, you should consider engaging a specialist incident response company. Attempting to investigate a breach without the right expertise can inadvertently destroy evidence or miss the full extent of the compromise.
Common findings during this stage include email accounts that have been accessed by an external party, Outlook rules set up to hide or redirect emails from specific contacts, data that has been encrypted by ransomware, or evidence that an attacker has been present in the system for an extended period before taking action.
## What We See When We Take on New Customers
We regularly take on new customers and, as soon as we deploy our security tools, discover that the business has already been compromised. In some cases, the compromise is still active.
The most common findings are email accounts that have been accessed by someone outside the organisation, and Outlook rules that have been quietly set up to intercept and hide emails from specific suppliers or contacts. In one case, a customer came to us after a significant financial loss. Their email had been accessed and invoices had been altered to show different bank details. A large payment was made to a fraudulent account before anyone noticed.
In another case, a customer had suffered a ransomware attack that encrypted all of their data, including their backups. The backups were stored locally on USB hard drives connected to the same network. They never managed to recover all of their data. We were able to piece together what we could from other locations, remove the threat, put proper security controls in place, and get the business operational again within a few days. But the data loss was permanent.
These are not unusual situations. They happen to ordinary Irish businesses of every size.
## The Damage You Do Not See Immediately
Financial loss is the most obvious consequence of a breach, but it is not always the most damaging in the long term. Reputational damage can be far harder to recover from than any direct financial cost.
When clients learn that their personal data has been compromised, or that invoices were intercepted because your email was not secure, trust is damaged in a way that takes a long time to rebuild. Some clients will leave. Others will stay but view your business differently. Prospective clients who hear about the incident may choose a competitor instead.
For businesses in professional services, healthcare, legal, or financial sectors, where trust and confidentiality are central to the relationship, a breach can fundamentally change how the market sees you. The financial cost of the breach itself may be recoverable. The reputational cost often is not.
This is not said to cause alarm. It is said because it reinforces why preparation and speed of response matter so much. A business that responds quickly, communicates transparently, and demonstrates that it has taken the incident seriously will recover its reputation far faster than one that tries to minimise or conceal what happened.
## The HSE: A Reminder That Nobody Is Too Big or Too Small
In May 2021, the Health Service Executive suffered the most significant cyberattack in the history of the Irish state. A phishing email containing a malicious Excel file was sent to an HSE employee on 16 March 2021. The attackers, a Russian criminal group known as Wizard Spider, then spent eight weeks inside the HSE network before deploying Conti ransomware on 14 May.
The result was devastating. Eighty percent of the HSE's IT infrastructure was encrypted. Hospitals reverted to pen and paper. Cancer and stroke services were disrupted. Patient data for hundreds of thousands of individuals was compromised. It took four months to fully recover, and the estimated cost exceeded one hundred million euro. The HSE is now facing over four hundred data protection lawsuits.
The HSE attack is often discussed as though it only applies to large organisations with complex IT systems. But the attack started with a single phishing email opened by a single employee. The tools used by the attackers are the same tools used against businesses of every size across Ireland.
A common misconception among smaller businesses is that they are not worth targeting. The reality is the opposite. Attackers target smaller organisations precisely because they tend to have fewer protections in place. If they can extract a ransom payment, redirect a bank transfer, or use your systems as a stepping stone to a larger target, they will.
Size does not determine whether you are a target. Opportunity does.
## Your Legal Obligations Under Irish Law
Under the General Data Protection Regulation (GDPR), if your business experiences a personal data breach, you have specific legal obligations.
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This covers a wide range of incidents, from a ransomware attack that encrypts customer records to an employee accidentally sending personal information to the wrong recipient.
If the breach presents a risk to the individuals whose data is affected, you are required to report it to the Data Protection Commission (DPC) within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to those individuals, you must also notify them directly without undue delay.
Even if you determine that the breach does not present a risk, you are still required to keep an internal record of the incident, including the details of the breach, how you assessed the risk, who made the decision, and the risk rating you assigned.
Our recommendation is to report to the DPC within the 72-hour window even if you do not yet have all the details. Having an open case with the DPC and keeping them updated as your investigation progresses demonstrates good faith and can work significantly in your favour if the matter escalates.
The DPC provides a practical guide to breach notification on their website at dataprotection.ie.
## The Cheat Sheet: What To Do If You Have Been Breached
**Step 1: Do not panic.** A clear head makes better decisions than a panicked one.
**Step 2: Call your IT provider.** If you have one, this is the single most important call you will make. They can begin containment immediately using tools already on your systems.
**Step 3: Disconnect affected devices from the network.** Do not turn them off. Unplug the cable or disable Wi-Fi.
**Step 4: Reset passwords and enforce MFA.** Start with the accounts most likely to be compromised. Sign out all active sessions where possible.
**Step 5: Assess the scope.** Work with your IT provider or an incident response specialist to understand what happened, what was accessed, and how the attacker got in.
**Step 6: Notify the DPC within 72 hours** if personal data has been affected and there is a risk to individuals. You can update the report as your investigation continues.
**Step 7: Notify affected individuals** if the breach is likely to result in a high risk to them.
**Step 8: Preserve evidence.** Do not wipe or rebuild systems until your IT provider or forensic team has completed their analysis.
**Step 9: Review and strengthen your defences.** Once the incident is resolved, conduct a thorough review of what failed and what needs to change.
**Step 10: Document everything.** Keep detailed records of the incident, your response, and the decisions made. This is both a legal requirement and good practice.
## How to Protect Yourself Before It Happens
The best time to prepare for a breach is before it happens.
Endpoint Detection and Response (EDR) tools monitor your devices for suspicious behaviour and can isolate a threat before it spreads. Identity Threat Detection and Response (ITDR) protects your user accounts and can detect when credentials have been compromised. Tools like ThreatLocker control what software is allowed to run on your systems, preventing unauthorised programs from executing. These tools work together to make it significantly harder for an attacker to gain a foothold and move through your environment.
There is no shortage of security tools on the market, and different IT companies favour different products for different reasons. We choose the tools that allow us to sleep at night. The ones that mean we do not have to worry about a bad actor causing problems for our customers, because although we know it is not impossible, we are going to make it as difficult as we can for them.
Backup is your last line of defence. If everything else fails, a good backup means you can recover. But the quality of your backup matters enormously. A backup on a USB drive plugged into the same network as your systems is not a backup. It is a target.
A proper backup strategy involves cloud-based backup with versioning, so you can roll back to a point before the attack. It should run at least once a day, ideally more frequently for critical data, and the retention period should be long enough that you can recover even if the breach went undetected for weeks. Where possible, backups should be stored in a way that an attacker who has access to your network cannot reach them.
We regularly test and evaluate the tools on the market to ensure we are using the best options available. Security is not something you set up once and forget. It requires ongoing attention, regular review, and a willingness to adapt as threats evolve.
## Cyber Insurance: Worth Having, But Not a Substitute
Cyber insurance is increasingly common among Irish businesses and, for many, it is a sensible investment. A good policy can cover the costs of incident response, forensic investigation, legal fees, regulatory fines, and even business interruption losses following a breach.
However, it is important to understand that insurers are not offering these policies blindly. Most cyber insurance providers now require businesses to demonstrate a baseline level of security before they will offer cover. This typically includes multi-factor authentication on all accounts, endpoint protection, regular backup with offsite or cloud storage, and evidence of staff security awareness training.
If your business does not meet these requirements, you may find it difficult to obtain cover, or the premiums may be prohibitively expensive. In some cases, a claim can be denied if the insurer determines that the business failed to maintain the security standards it agreed to when taking out the policy.
Cyber insurance works best as a complement to a strong security posture, not as a replacement for one. The businesses that benefit most from cyber insurance are the ones that are least likely to need it, because they have already invested in the protections that reduce the risk in the first place.
## Final Thought
A security breach is not the end of the world. Businesses recover from them every day. But the difference between a business that recovers well and one that does not usually comes down to preparation, speed of response, and having the right support in place.
If you are unsure about your current position, or if you would like to talk through what a proper incident response plan looks like for your business, we are happy to have a straightforward conversation. No sales pitch, just an honest assessment of where you stand and what, if anything, needs to change.
Tags: cybersecurity, data-breach, gdpr, incident-response, backup