Re: And here come the fines ...
@Andy The Hat: It's probably a poorly-chosen paraphrasing by the person in the article (we know how politicians like to condense things down into soundbites). The ICO themselves say 72 hours from discovery: "there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it."
https://iconewsblog.org.uk/2017/09/05/gdpr-setting-the-record-straight-on-data-breach-reporting/