How to tell your customers you’ve been hacked

The short-term costs of a cyber attack are significant. Investigating and containing a breach, rebuilding IT systems and implementing new security controls, as well as the loss of productivity, can all cause severe financial strain.

However, the long-term costs of a breach are often even more damaging. Organisations who do not handle an attack well can suffer a number of further consequences, including reputational damage, a loss of customer loyalty and a drop in share prices.

Keeping customers on the organisation’s side during cyber incidents is a key component to managing the long-term impact of a sensitive data breach.

Anthony Green, CTO of cyber security firm FoxTech, discusses how to communicate with customers after a cyber attack has occurred.

Determine whether it is necessary to inform customers

“It may not always be necessary to inform customers of a breach. The Information Commissioner’s Office (ICO) – the UK’s authoritative body for data privacy – states that it is only necessary to inform customers of a data breach if the compromised information makes then identifiable.

“That means the first step needs to be investigation. As soon as a business becomes aware of an attack, alongside working to end the incident if it is ongoing, it is vital to immediately begin an investigation of what data has been accessed, encrypted or stolen, and develop an incident report. This investigation must be carried out quickly, yet thoroughly by either an in-house cyber security expert, or a third-party cyber security company.”

If the personal information of customers and clients has been compromised to the extent that they are identifiable, this must be reported to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. This is a legal obligation under UK GDPR, and failing to do so can lead to a fine of up to £8.7 million or 2% of your global turnover.

Personal information can include:

Name
Bank account details
Location data
Identification numbers eg. passport or driving licence

For full information about what constitutes identifiable personal information, read the ICO’s guidance on personal data breaches.

Be honest

“Customers will rightly have concerns about their data being exposed,” says Anthony. “They may need to take actions to protect themselves against fraudulent use of their information, so being transparent, taking responsibility, and providing regular, honest communication on the facts of the breach is the best way to keep their trust in your business. Most customers won’t be knowledgeable in cyber security, so always use plain English.”

Make sure customers know:

What aspects of their data have been compromised
What to do next: eg. check bank accounts for suspicious payments, change passwords, be alert to phishing emails appearing to be from the breached organisation

If the investigation is ongoing, and not all the information is known, be honest about that. Always update customers of new discoveries relevant to their personal information.

Set up new customer support channels

To deal with high volumes of calls and customer enquiries, organisations may need to set up new customer support channels and information hubs.

Anthony discusses:

“When Delta Airlines informed customers of a breach to their personal data in 2018, the company created a new webpage with an overview and timeline of the breach, as well as an FAQs section which pointed customer to communication channels. Delta Airline’s case is seen in the security industry as a great example of how to respond well to a data breach.”

Ensure that customers know where they can go for support. Provide the contact details of your data protection officer, or whoever in the organisation is dealing with the effects of the breach.

Provide compensation

Organisations who experience good customer retention after a data breach often provide affected individuals with some form of compensation.

This could be in the form of covering any costs of securing personal information, or providing discounts, free services, or special offers to affected customers.

Create an open dialogue

Don’t be shy to discuss a breach once the immediate aftermath has been dealt with, says Anthony:

“Involve industry experts, clients and even the public to discuss the breach, and demonstrate what you are doing to prevent a similar occurrence in the future. Not only does this signify your willingness to adapt and take responsibility, but it also reassures affected individuals and helps to educate other companies on why security incidents occur, and how they could minimise their own risk.

“Whether or not an organisation has been the victim of a cyber attack, all companies should develop an Incident Response Plan to ensure they are prepared to respond well to a breach. See the National Cyber Security Centre guidance for creating this document. If there is no in-house cyber security expert, the report should name a third-party cyber security partner who can manage the technical aspect of a breach.”