Home Business How to tell your customers you’ve been hacked
Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

How to tell your customers you’ve been hacked

by jcp

The short-term costs of a cyber attack are significant. Investigating and containing a breach, rebuilding IT systems and implementing new security controls, as well as the loss of productivity, can all cause severe financial strain.

However, the long-term costs of a breach are often even more damaging. Organizations who do not handle an attack well can suffer a number of further consequences, including reputational damage, a loss of customer loyalty and a drop in share prices.

Keeping customers on the organization’s side during cyber incidents is a key component to managing the long-term impact of a sensitive data breach.

Anthony Green, CTO of cyber security firm FoxTech, discusses how to communicate with customers after a cyber attack has occurred.

Determine whether it is necessary to inform customers

“It may not always be necessary to inform customers of a breach. The Information Commissioner’s Office (ICO) – the UK’s authoritative body for data privacy – states that it is only necessary to inform customers of a data breach if the compromised information makes then identifiable.

“That means the first step needs to be investigation. As soon as a business becomes aware of an attack, alongside working to end the incident if it is ongoing, it is vital to immediately begin an investigation of what data has been accessed, encrypted or stolen, and develop an incident report. This investigation must be carried out quickly, yet thoroughly by either an in-house cyber security expert, or a third-party cyber security company.”

If the personal information of customers and clients has been compromised to the extent that they are identifiable, this must be reported to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. This is a legal obligation under UK GDPR, and failing to do so can lead to a fine of up to £8.7 million or 2% of your global turnover.

Personal information can include:

  • Name
  • Bank account details
  • Location data
  • Identification numbers eg. passport or driving licence

For full information about what constitutes identifiable personal information, read the ICO’s guidance on personal data breaches.

Be honest

“Customers will rightly have concerns about their data being exposed,” says Anthony. “They may need to take actions to protect themselves against fraudulent use of their information, so being transparent, taking responsibility, and providing regular, honest communication on the facts of the breach is the best way to keep their trust in your business. Most customers won’t be knowledgeable in cyber security, so always use plain English.”

Make sure customers know:

  • What aspects of their data have been compromised
  • What to do next: eg. check bank accounts for suspicious payments, change passwords, be alert to phishing emails appearing to be from the breached organisation

If the investigation is ongoing, and not all the information is known, be honest about that. Always update customers of new discoveries relevant to their personal information.

Set up new customer support channels

To deal with high volumes of calls and customer enquiries, organisations may need to set up new customer support channels and information hubs.

Anthony discusses:

“When Delta Airlines informed customers of a breach to their personal data in 2018, the company created a new webpage with an overview and timeline of the breach, as well as an FAQs section which pointed customer to communication channels. Delta Airline’s case is seen in the security industry as a great example of how to respond well to a data breach.”

Ensure that customers know where they can go for support. Provide the contact details of your data protection officer, or whoever in the organization is dealing with the effects of the breach.

Provide compensation

Organizations who experience good customer retention after a data breach often provide affected individuals with some form of compensation.

This could be in the form of covering any costs of securing personal information, or providing discounts, free services, or special offers to affected customers.

Create an open dialogue

Don’t be shy to discuss a breach once the immediate aftermath has been dealt with, says Anthony:

“Involve industry experts, clients and even the public to discuss the breach, and demonstrate what you are doing to prevent a similar occurrence in the future. Not only does this signify your willingness to adapt and take responsibility, but it also reassures affected individuals and helps to educate other companies on why security incidents occur, and how they could minimise their own risk.

“Whether or not an organization has been the victim of a cyber attack, all companies should develop an Incident Response Plan to ensure they are prepared to respond well to a breach. See the National Cyber Security Centre guidance for creating this document. If there is no in-house cyber security expert, the report should name a third-party cyber security partner who can manage the technical aspect of a breach.”

You may also like

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More