Do I Need to Tell My Customers If We’ve Been Hacked?

by

When a data breach or cybersecurity incident occurs, panic is often the initial reaction — but it should not be the only one. As a business owner, you are legally and ethically required to act quickly and communicate clearly. It is more than just resolving the technical issue; it is about safeguarding your customers, your brand, and the future. So, what exactly should you do if your business has been hacked?

This is where having a clear cyber incident response plan becomes essential.

What Is a Data Breach and Why Should You Care?

Data breaches occur when sensitive, protected, or confidential information is accessed or disclosed without permission. This could include names, addresses, passwords, bank information, and even medical records.

A data breach is more than a technical issue for any business, large or small—it’s a customer data protection issue. If your customers' data is compromised, your reputation is instantly jeopardised. That is why clear communication and an effective incident response strategy are just as important as resolving the technical problem.

Are You Legally Required to Tell Customers?

Yes, in most cases.

In Australia, the Notifiable Data Breaches (NDB) scheme requires any organisation or agency covered by the Privacy Act 1988 to notify individuals if their personal information has been involved in a data breach likely to cause serious harm.

You must tell:

  • The affected individuals
  • The Office of the Australian Information Commissioner (OAIC)

Serious harm can include identity theft, financial loss, or harm to mental well-being. If you're not sure whether harm is likely, it's safest to assume it is—and act fast with your cyber incident response process.

What Happens If You Don’t Tell Anyone?

Delaying or avoiding data breach notification can backfire badly. Here are some real-world examples that show how businesses handled things right—and wrong:

  • Equifax (2017): Took weeks to notify the public. Outcome? $700+ million in fines and a long-lasting reputation hit.
  • Yahoo (2013–2014): Waited years to reveal breaches affecting 3 billion accounts. Result? Fines, lawsuits, and customer distrust.
  • Marriott (2018): Acted quickly, launched a website for updates, and offered identity protection. While the breach was serious, their transparency helped preserve trust.

Lesson: Silence can cost more than honesty—having a strong cybersecurity incident response plan in place can help mitigate that damage.

How Should You Notify Customers?

Good communication isn’t about dumping technical details. It’s about being clear, calm, and caring. Here's how to do it right during a data breach response:

  • Use Plain Language
    • Explain what happened, what data was affected, and what steps customers should take—without jargon.
  • Be Fast but Accurate

    • Don’t wait too long. As soon as you know enough to reasonably assess the risk, notify those affected through your incident response plan.
  • Offer Support
    • This could be free credit monitoring, an identity protection service, or a helpline for concerned customers.
  • Choose the Right Channels
    • Use trusted communication channels—email, SMS, direct mail—to reach people quickly and reliably. That’s where Bare Media steps in (more on that below).

What Should a Breach Notification Include?

Here’s a basic checklist to help you get it right:

  • A clear description of the data breach
  • What personal information was involved
  • The potential impact on individuals
  • What steps have been taken to address the issue
  • What individuals can do to protect themselves
  • How to get more information (contact details, support lines, etc.)

All of this should be outlined in your cyber incident response plan to ensure consistency and compliance.


How Can You Prepare Before a Breach Happens?

Prevention is ideal, but preparation is essential. You should:

  • Keep systems updated and patch vulnerabilities regularly
  • Train staff on cybersecurity best practices
  • Create a data breach response plan and a cyber incident response checklist
  • Keep templates ready for breach notification messages
  • Partner with experts like Bare Media to manage incident response communications smoothly

Why Choose Bare Media for Breach Communication?

Bare Media is where digital meets physical—seamlessly. From sending SMS alerts to mailing personalised letters and creating smart kiosk solutions, we help businesses communicate clearly during cybersecurity incidents. We specialise in high-quality, hybrid communication strategies that support your team during stressful cyber incidents.

Whether you're launching a data breach response or just planning ahead, we make sure your message gets where it needs to go—compliantly, quickly, and clearly.

  • Digital + Physical Delivery: Turn emails into letters, SMS, or even interactive kiosks
  • Compliance-First Thinking: Meet regulatory obligations without the stress
  • Workflow Simplicity: We handle the process so you can focus on your business
  • Trusted by Industry: As a hybrid solutions provider, Bare Media supports businesses like ATMOS in closing the loop from detection to notification

When a Breach Hits, Let the Right Message Lead

Cyber incidents can be chaotic — but your response doesn’t have to be. Customers respect honesty, clarity, and quick action. That’s what turns a crisis into a moment of trust.

If your business needs help getting the right message out after a data breach — or wants to prepare a strong cyber incident response strategy—talk to Bare Media today. We’ll help you communicate with confidence across every channel that counts.