Your Supplier Got Hacked! Now What? A Step-by-Step Guide for UK SMBs

Not Your Breach? Not So Fast.

So, your supplier just got breached. Maybe it was their IT provider, their logistics system, or that SaaS tool you both rely on. Either way, your first thought might be: "That’s their problem." But here’s the harsh truth — if data flowed between you, it just became your problem too.

This guide breaks down exactly what to do, when to do it, and how to protect your business before the fallout hits.

Step 1: Stop the Bleed

The moment you hear about the breach, don’t panic. But don’t be passive either. Start by figuring out exactly how you're connected. Ask yourself whether you’ve shared any systems or data with the supplier. Did they have access to your systems? Could they have stored your customer, employee, or financial data? If the answer is yes to any of that, treat this as a live incident until you can confidently prove otherwise.

Start a breach log. Record every action, every phone call, and every email. If this escalates, you’ll need that trail.

Step 2: Talk to the Right People

Before you tell the world or send a panicked email to all staff, gather the right people. Inform whoever leads your business — if that’s not you — and bring in your IT or security lead immediately. Make sure the person responsible for data protection is involved. You’ll need them if personal data is involved.

Then speak to the supplier. Ask them for the full picture. What happened? When did it happen? What data was involved? How did it happen, and what have they done since? If the answer is “we’re still investigating,” then treat the breach as unresolved. Assume the worst until proven otherwise.

Step 3: Secure Your Own Systems

Even if you weren’t the direct target, your environment might still be compromised. Act like you've been breached until you're sure you haven’t. Revoke remote access, disable shared credentials, and check system logs for any strange or unauthorised activity. Look closely at any endpoints or servers that were talking to the supplier’s systems.

If you’ve got a security dashboard or a SIEM tool, great. Use it. If not, roll up your sleeves and start with what you’ve got. It might be time-consuming, but it’s essential.

Step 4: Understand the Data Risk

Now put on your GDPR hat. You need to figure out if personal data was affected — names, addresses, payroll information, anything that falls under the banner of personally identifiable information. If that data passed through the supplier, or they processed it on your behalf, you're potentially on the hook.

If you’re the data controller, you’ve got 72 hours to inform the ICO from the point of discovering a risk. You might also have to inform the people affected. Even if you’re not sure yet, it’s safer to tell the ICO you’re investigating than to pretend nothing’s happening.

Step 5: Bring in an Independent Incident Manager

Don't let the supplier or your own IT provider dictate the story. Bring in an experienced, neutral third-party incident manager. Someone who isn't invested in protecting reputations. They'll validate the supplier’s claims, run technical checks on your side, and make sure everyone stays honest — including your internal teams.

They’ll also help with regulatory communication, legal obligations, and stakeholder management. And if you do have to answer tough questions, you’ll want someone experienced standing next to you.

Step 6: Notify Your Insurer

If you’ve got cyber insurance, now’s the time to read the fine print. Most policies have very specific rules about when and how you need to notify them. Miss a deadline or say the wrong thing, and they’ll use it as a reason to deny your claim.

Let them know what happened — but only share the facts. Don’t speculate, don’t admit liability, and don’t try to play it down. Just stick to what you know, and make sure you’ve documented everything.

Step 7: Keep Records of Everything

Yes, it’s a pain, but it’s also your lifeline. Document every system you check, every change you make, every email you send. This record will be invaluable if the ICO comes knocking, your insurer starts asking questions, or if this ends up in court.

Write it all down. Keep it organised. And back it up.

Step 8: Review How You Work With Suppliers

Once the fire is out, take a step back and assess your supply chain relationships. Did this supplier have the right cyber credentials? Cyber Essentials Plus? ISO 27001? Did you have a written agreement in place about what would happen if they got breached? Did they even tell you quickly enough?

If the answer to any of these is “no,” it’s time to raise the bar. From now on, insist on minimum cyber standards. Put them in contracts. Enforce them.

Step 9: Update Your Policies

Don’t waste a good crisis. Take what you’ve learned and use it to improve. Update your incident response playbook so the next breach — because there will be a next one — goes smoother. Add new questions to your supplier onboarding process. Fix the gaps before they come back to bite you.

Step 10: Communicate With Clarity

If customers or partners could be affected, be proactive. Don’t wait for rumours to spread. Tell them what happened, what you’ve done to fix it, and what happens next. Be honest. You don’t need to spill every technical detail, but you do need to sound like you're in control.

People will remember how you handled this more than the breach itself.

Final Thoughts: You Might Not Be the Target, But You're Still in the Blast Zone

We all rely on other businesses — for payroll, for software, for logistics. And that means our risk is tied to theirs. So when one of your suppliers gets breached, don’t assume you’re safe just because you weren’t the one hit. Move quickly. Take it seriously. Protect your own systems and your own data.

And next time you’re vetting a supplier? Ask what security certifications they hold. Ask how quickly they’ll tell you if something goes wrong. And if they can’t answer, maybe they shouldn’t be handling your data at all.