When customers share their personal information with you, they’re placing their trust in your business. A data breach isn’t just a technical problem—it’s a breach of that trust. And while it can feel overwhelming to navigate, how you respond makes all the difference.
In this post, we’ll guide you through when and how to tell your customers about a data breach, who should deliver the message, and how clear, honest communication can help protect your reputation and rebuild trust, using real examples from right here in Australia.
In the wake of a cyberattack, poor communication can quickly become its own crisis. Beyond the technical clean-up, businesses that delay or mishandle their messaging risk legal penalties, a hit to their reputation, and long-term damage to customer loyalty. That’s why a well-developed cyber incident response plan is essential.
Take Optus, for example. In 2022, a major data breach exposed the personal information of nearly 10 million Australians. While the company did disclose the incident fairly quickly, the early communication left many confused, and key details were unclear—prompting criticism from customers, regulators, and the media.
On the other hand, the Australian Red Cross handled its 2016 data breach with swift transparency. After an accidental leak of over 1 million blood donor records, the organisation quickly informed the public, took responsibility, and collaborated with the Office of the Australian Information Commissioner (OAIC). The response was widely praised and helped preserve trust. The response aligned with the best practices of a solid incident response plan—proactive, clear, and honest.
The takeaway? It’s not just the breach that hurts—it’s how you communicate afterward.
Under Australia’s Notifiable Data Breaches (NDB) scheme, businesses and organisations covered by the Privacy Act 1988 must notify both affected individuals and the OAIC when a data breach is likely to result in serious harm.
This includes situations where sensitive personal data, like Medicare numbers, bank details, or identity documents, may have been exposed. Notification should happen as soon as practicable after you become aware of the breach. Your incident response plan should clearly outline this process to ensure nothing is missed under pressure.
Even if you’re unsure, it’s wise to seek guidance from a privacy lawyer or partner with a communications team experienced in breach response, like Bare Media.
Once you’ve confirmed a breach and determined that customers must be notified, you’ll need to communicate through two main channels:
A public statement—via a press release, your website, or the media—helps set the record straight and shows that you’re taking responsibility.
When Latitude Financial was impacted by a cyberattack in 2023, they issued multiple updates and worked with the OAIC and law enforcement. While there were some delays, their eventual transparency helped clarify the scale of the breach.
Email is typically the fastest and most effective way to notify affected customers. Your message should be clear, calm, and supportive—outlining what happened, what information was involved, and what steps individuals should take (like changing passwords or watching for suspicious activity).
For more serious breaches, consider offering identity protection services or customer support hotlines.Even for smaller incidents, taking the time to contact affected individuals shows transparency and care.
Your spokesperson matters. The message should come from someone senior and trustworthy—ideally, your CEO, privacy officer, or head of communications.
In Australia, companies like Medibank and Woolworths have used their senior leaders to address the public directly in times of crisis. That human connection helps reassure customers that your organisation is taking the issue seriously.
Just as important: make sure all your frontline teams—from support staff to social media managers—know what’s happening and how to respond to customer queries. Mixed messages can do more harm than good.
Your communication should answer four key questions—without technical jargon or legal spin:
You don’t need to have every answer on day one, but be honest about what you know and commit to sharing updates.
Data breaches are a reality of doing business in the digital world. But how you respond defines your brand.
Having a clear plan for breach communication isn’t just good practice—it’s a requirement under Australian law, and it shows your customers that you take their privacy seriously.
At Bare Media, we help Australian businesses manage crisis communication, from breach planning to media management. If you need a partner to help you navigate a data incident, we’re here to support you—ethically, clearly, and calmly.
Digital to Physical Delivery
Business process reengineering
Digital Solutions
Compliance Solutions
© 2025 Bare Media Pty Ltd.
All rights reserved
