A Sussex Accounting Firm Lost £11,000 to a Website Breach — Here's How

The scenario below is based on real patterns seen in UK small business breaches. Names and details have been changed, but the attack chain, costs, and consequences are representative of what happens to thousands of UK businesses every year.

The Company

TrustedBooks Ltd is a small accounting firm in Horsham, West Sussex. Seven staff, around 400 clients, turnover of roughly £650,000. Their website was built three years ago by a local web developer — a standard WordPress site with a contact form, service pages, and a client portal for uploading documents.

Like most small businesses, they did not have a dedicated IT person. The website ran on a shared hosting package. Nobody had checked its security since the day it launched.

The Breach

On a Tuesday morning in March, the practice manager received a call from a client. "I got a strange email from you this morning asking me to update my bank details for the payroll."

She had not sent any such email.

The attacker had found an exposed .env file on the TrustedBooks website — a configuration file that contained the database password, API keys for the email service, and credentials for the client portal. It had been accidentally left web-accessible by the original developer.

How the Attacker Got In

The breach followed a textbook pattern that security researchers see every day:

1. Automated scan. The attacker did not target TrustedBooks specifically. An automated bot scanned thousands of websites looking for common file paths — .env, config.php, backup.sql, /admin. The scan found the .env file on the TrustedBooks site within seconds.

2. Database access. The .env file contained plaintext database credentials. The attacker connected to the MySQL database and downloaded the entire client table — names, email addresses, company names, and partial financial details from uploaded documents.

3. Email impersonation. The .env file also contained SMTP credentials. The attacker used these to send phishing emails directly through the TrustedBooks mail server — emails that passed SPF and DKIM checks because they were genuinely sent from the firm's own server.

4. Financial fraud attempt. The phishing emails asked clients to "verify their bank details" via a fake portal. Two clients entered their banking information before the firm realised what was happening.

The Cost

Emergency IT incident response£2,400 Website rebuild and hardening£1,800 Client notification letters (400 clients)£620 Credit monitoring for affected clients£1,600 Lost clients (12 left within 2 months)£~3,600 Staff time dealing with the breach£~980 Total£~11,000

And this was a best case scenario. The attacker's phishing attempt was caught early. If the bank detail changes had gone through, the losses would have been much higher — and TrustedBooks could have been liable.

What Went Wrong

We ran a security scan on the TrustedBooks website after the breach. Here is what we found:

• Exposed .env file — accessible to anyone who knew the URL. This is what gave the attacker everything they needed.
• No security headers — the site was missing Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and X-Content-Type-Options — all recommended by the NCSC's vulnerability management guidance. Six out of eight recommended headers were absent.
• Outdated WordPress core and plugins — three known vulnerabilities in plugins that had patches available but were never applied.
• Missing DMARC record — there was no DMARC policy on the domain. Even after the breach, the firm could not prevent future email spoofing because this DNS record was never set up.
• No cookie consent banner — a separate compliance issue that could have attracted an ICO fine on top of the breach costs.

How to Prevent This

Every single one of these issues would have been caught by an automated security scan. The breach was entirely preventable. Here is what every small business should do:

1. Run a security scan. Tools like PulseShield check for exposed files, missing headers, SSL issues, email security gaps, and open ports in minutes. Try the free scan — it takes 30 seconds.
2. Hide sensitive files. Your .env file, config files, and database dumps should never be web-accessible. A single line in your web server config blocks access to them.
3. Set up email authentication. SPF, DKIM, and DMARC records prevent attackers from sending emails that look like they came from your domain. Without DMARC, you have no protection against email spoofing.
4. Keep software updated. WordPress, plugins, and server software should be updated as soon as security patches are released. Most breaches exploit known vulnerabilities in outdated software.
5. Add security headers. These tell browsers how to protect your visitors. They are free to add and take minutes to configure.
6. Set up ongoing monitoring. A one-off scan is good. Continuous monitoring is better. New vulnerabilities appear daily — you need to know about them before attackers do.

The Reality for UK Small Businesses

The NCSC reports that small businesses are the target of approximately 1,000 cyber attacks per day. The average cost of a breach for a UK small business is £4,200 — and 60% of small businesses that experience a significant breach go out of business within six months.

TrustedBooks was lucky. They caught it early, acted quickly, and survived. Many do not.

The uncomfortable truth is that most UK small business websites have at least 5 hidden security issues. They are easy to fix — but you cannot fix what you do not know about.