Facebook Linkedin

What to tell customers following a security incident – and what not to say 

When a security incident occurs, an organisation faces one of its most difficult communication challenges: how to tell customers that something has gone wrong. 

This is a moment that is causing a great deal of concern. The company does not wish to fuel anxiety, does not want to reveal too many details before the situation is fully understood, and does not want to risk further questions or claims. At the same time, customers have a right to information and expect answers that will allow them to assess whether they are at risk and what they should do. 

Between these two extremes – protecting the organisation and being accountable to customers – lies the space where one of the brand’s most important tests takes place. 

A good message to customers following a security incident is not merely a matter of style. It is a strategic decision that has a direct impact on how much trust the company retains after the crisis. 

Why is it so difficult to write a message to customers?

Communicating with customers after an incident is difficult for several reasons at once. 

Firstly, the organisation is usually not yet aware of the full extent of the incident. The investigation is ongoing, there are more questions than answers, and the technical and legal teams are working under intense pressure. 

Secondly, the message must be both: 

  • specific enough for the customer to know what’s going on, 
  • careful enough not to cause unnecessary panic, 
  • simple enough for everyone to understand, 
  • and responsible enough to build trust rather than destroy it. 

Thirdly, any word can be quoted, displayed on screen and published in a context over which the company has no control. 

This leads many organisations to make one of two mistakes: either they communicate too late, or they communicate too little. Both have serious reputational consequences. 

Before we move on to what to say, it’s worth understanding the customer’s perspective.

Zanim przejdziemy do tego, co mówić, warto zrozumieć perspektywę klienta. 

A customer who learns of the incident asks themselves a few very specific questions: 

  • whether my data is at risk 
  • what kind of data is this, 
  • what someone might do with them, 
  • what should I do now, 
  • what the company has done and is doing about this, 
  • can I still use their services, 
  • and whether it might happen again. 

It is precisely these questions that a good statement should address – in full or to the greatest extent possible, taking into account the limitations on information available at that stage of the crisis. 

Customers don’t expect perfect answers. They expect honesty, clarity and respect. 

When to send a message to customers

The timing of communication is one of the most important decisions to be made following an incident. 

Don’t wait until you have the full picture 

This is one of the most common mistakes. Organisations delay their communication because they want to have all the facts. In the meantime, customers learn about the incident from the media, social media or other customers. The company loses control of the narrative and is portrayed in a negative light – as an organisation that is hiding something or has lost control of the situation. 

Speak up early on, even if you don’t have all the answers 

In your initial report, you do not need to know the full extent of the incident. You must confirm that: 

  • firma wie o sytuacji, 
  • takes it seriously, 
  • is working on clarifying, 
  • and will be back with more updates. 

That’s enough to get started. It’s better to say something than to remain silent. 

Regulatory obligations set out the minimum requirements

With regard to personal data, the GDPR requires that the supervisory authority be notified within 72 hours of a breach being detected. If the breach poses a risk to the rights and freedoms of individuals, it is also necessary to inform the customers themselves. However, this is a legal minimum, not a communication standard. 

From a reputational perspective, it is worth acting more swiftly and comprehensively than the law requires.

How to craft an effective message for customers

Dobry komunikat do klientów po incydencie bezpieczeństwa powinien zawierać kilka kluczowych elementów. 

  1. A clear explanation of what happened

The customer should be aware of the situation they are facing. They do not need to know the technical details, but they should understand the nature of the incident: 

  • has there been a data breach, 
  • whether the systems were unavailable, 
  • whether unauthorised access to the accounts may have occurred. 

You should speak plainly, but without using technical jargon. 

  1. Information about who is affected by the incident

If the incident affects all customers, you need to say so. If it only affects a specific group, it’s worth making that clear. Customers who aren’t affected by the incident also deserve to be told that they’re safe.

  1. A specific indication of what data may have been included

This is one of the most difficult parts of the message, but also one of the most important. The customer needs to know: 

  • whether it's contact details, 
  • financial data, 
  • login details, 
  • data relating to orders or activity, 
  • or other categories. 

The more precise the information, the less room there is for speculation and anxiety. 

  1. What the company has done and is doing in response to the incident

Customers should know that the organisation is not sitting idle. It is worth mentioning: 

  • what steps were taken immediately after the discovery, 
  • what's happening right now, 
  • what will happen next. 

This shows that the company is in control of the situation and is acting responsibly.

  1. What should the customer do?

This is one of the most important elements, yet it is often overlooked or described in overly general terms. The customer needs specific guidance: 

  • should he change his password, 
  • should he monitor activity on the account, 
  • should he be cautious about any messages he might receive, 
  • where they can contact us with any questions or if they notice any suspicious activity. 

The more specific the advice, the better. 

  1. Where to find further information and support

The message should include contact details or a reference to where the customer can find up-to-date information: 

  • a dedicated FAQ page, 
  • customer service email address, 
  • phone number,
  • or a chatbot/helpdesk.

     

  1. Signature and tone of responsibility

The statement should be signed by a person or role that inspires confidence. Often, the best option is the CEO or the director responsible for security. This demonstrates that the matter is being treated with the utmost seriousness. 

What not to say to customers after an incident

Just as important as the content of the message is knowing what to avoid. 

Don’t say: “The security of your data is our priority” 

This sentence sounds fine in everyday conversation. After the incident, it comes across as ironic. Customers pick up on this immediately and react negatively. 

Don’t downplay the problem 

Statements suggesting that the incident was ‘minor’, ‘limited’ or ‘likely to have no consequences’ – before you know for certain – could backfire on the company if subsequent findings reveal otherwise. 

Don’t use the passive voice to avoid taking responsibility 

Phrases such as ‘a breach has occurred’ or ‘data has been disclosed’ sound overly cautious. A better approach is: ‘we have learnt that data may have been compromised as a result of an attack’ – this is a responsible and specific way of putting it. 

Avoid using technical jargon 

Words such as ‘breach’, ‘exploit’, ‘zero-day vulnerability’ or ‘production environment’ mean nothing to the average customer. Speak their language. 

Don’t promise things you can’t deliver 

If you say that ‘a similar situation will not happen again’, you must be absolutely certain that you can guarantee it. A promise that is later proven false will destroy what little trust remains. 

Don’t limit yourself to a statement that merely meets legal requirements 

The legal minimum is a starting point, not the end goal. A statement drafted solely by a lawyer, with the sole aim of protecting the organisation, often sounds exactly like that – and clients can sense it. 

What tone should the message have? 

A good statement following an incident should be: 

  • direct — without beating about the bush or withholding information, 
  • simple – easy for everyone to understand, regardless of their level of technical knowledge, 
  • human – written with the reader in mind, rather than the company sending it, 
  • responsible – acknowledging that the situation is serious, without exaggerating, 
  • practical – focused on what the client can and should do. 

Sample structure of a message to customers

Below is a sample message structure that can be adapted to a specific incident: 

Subject: Important information regarding the security of your account 

Introduction: We would like to inform you of an incident that may have affected your data. We believe you have the right to know about this as soon as possible. 

What happened: On [date], we discovered that [description of the incident in plain language]. We immediately took steps to minimise the impact of the situation and determine its full extent. 

What data might this concern: Based on our analysis to date, we believe that the incident may have involved the following information: [list of data – e.g. full name, email address, transaction history]. 

What we did: Immediately after the incident was detected [list of actions – e.g. we isolated the systems, notified the relevant authorities, launched an internal investigation]. 

What you can do: We recommend [specific steps – e.g. changing your password, being cautious with unfamiliar messages, checking your account activity]. 

Where to get help: If you have any questions, please contact us by email at [email address] or by phone on [phone number]. You can also find the latest information on our website at [link]. 

Closing: We apologise for the situation and thank you for your trust. We are committed to communicating transparently over the coming days. 

[Signature – first name, surname, position]

How to handle subsequent communications following the initial statement

The initial statement following a security incident is not the end of the matter. Customers will be monitoring developments and expecting further updates. 

It’s worth planning: 

  • an update following the completion of the analysis – with more detailed information on the scope of the incident, 
  • a statement on corrective measures – what exactly has been changed, 
  • A statement marking the end of the crisis – a summary of the situation and a plan for the future.

     

The same principles apply to every subsequent communication: simplicity, clarity, accountability, and respect for the customer’s time and feelings. 

Summary: Good communication is a sign of respect, not just a duty

A communication to customers following a security incident is not just a formality. It is one of the most important moments in a brand’s relationship with its audience. 

Companies that act honestly, decisively and with empathy at this stage stand a chance of emerging from the crisis with limited damage to their reputation. Companies that communicate too late, too little or in the wrong tone often make the problem worse than the incident itself. 

A good response following an incident shows respect for customers and demonstrates that the organisation takes its relationship with them seriously – even when things have gone wrong. 

Do you want to prepare your PR and marketing department to communicate with customers following a cyber incident? 
Get in touch with the Knoxter team to find out how to develop a communications contingency plan that will protect your brand’s reputation in a crisis.