So its a "potential" breach because a port was left open. But they claim there wasn't an actual breach, but then mention "a breach" later and finally submitted a report to the ICO. But why? If there was never a breach then you don't need to report it. You don't need to report "potential" breaches otherwise everyone would be doing that.