How to Communicate a Data Breach to Customers in English

Learn the English phrases for disclosing a data breach to affected customers, explaining what happened, and outlining remediation steps without minimizing or overstating the risk.

Data breach disclosures sit at the intersection of legal obligation, technical accuracy, and human trust — and the wrong tone in either direction causes real harm, whether that’s minimizing a serious risk or triggering unnecessary panic over a contained one. The goal is precise, factual language that respects the reader’s right to understand what happened and what to do next. This guide gives you the English to disclose a data breach clearly and responsibly.


Opening the Disclosure

State that a breach occurred as early and plainly as possible — don’t bury the disclosure under reassurance.

  • “We’re writing to inform you of a security incident that affected some of your account data. We take this extremely seriously, and want to explain clearly what happened.”
  • “On [date], we identified unauthorized access to [system]. We want to be transparent with you about what we know and what we’re doing about it.”
  • “This email contains important information about your account security — please take a few minutes to read it in full.”

Explaining What Happened

Describe the incident factually, using precise, verifiable language rather than vague reassurance.

  • “Between [date] and [date], an unauthorized party gained access to a database containing [specific data types affected].”
  • “Based on our investigation so far, the exposed information includes [list], but does not include [reassuring specifics, e.g. full payment card numbers or passwords].”
  • “We identified this issue through [detection method] and immediately began an investigation with [internal security team / external forensics firm].”

Explaining What You’ve Done

Detail concrete remediation steps already taken, not just intentions.

  • “We immediately revoked access for the compromised credentials and rotated all affected system keys.”
  • “We’ve engaged an independent security firm to conduct a full forensic investigation, and we’ve notified the relevant regulatory authorities as required.”
  • “As an additional precaution, we’ve reset passwords for all potentially affected accounts, even where we have no direct evidence a specific account was accessed.”

Telling Customers What to Do

Give specific, actionable steps rather than a generic “stay vigilant” instruction.

  • “We recommend changing your password immediately, especially if you reuse it on other services.”
  • “We’re offering [X months] of complimentary credit monitoring through [provider] — you can enroll using the link below.”
  • “Please be alert to phishing attempts referencing this incident — we will never ask for your password or full payment details by email.”

Handling Follow-Up Questions

Provide a clear channel for concerned customers and avoid speculative answers about scope until confirmed.

  • “If you have questions about how this may affect your specific account, please contact [support channel], and reference incident number [ID].”
  • “We don’t yet have complete confirmation on [specific open question], and we’d rather share an accurate update later than guess now — we’ll follow up as soon as we know more.”
  • “We understand this is concerning, and we’re committed to sharing further updates as the investigation progresses.”

Vocabulary Reference

TermMeaning
Unauthorized accessAccess to a system or data by someone without permission
Forensic investigationA technical investigation to determine the scope, cause, and timeline of a security incident
Credential rotationChanging passwords, API keys, or tokens to invalidate potentially compromised ones
Scope of impactThe specific set of data or accounts confirmed to be affected
Regulatory notificationFormal disclosure to government bodies required by law (e.g. GDPR, state breach laws)

Key Takeaways

  • Disclose that a breach occurred clearly and early — don’t bury it under reassuring language.
  • Describe what happened using precise, verifiable facts rather than vague minimization.
  • Detail concrete remediation steps already completed, not just stated intentions.
  • Give specific, actionable next steps for customers rather than generic vigilance advice.
  • Provide a clear follow-up channel, and avoid guessing on open questions before they’re confirmed.