Data Breach? Take Control of the Story

The past few months have been eventful on the digital front. In August, KLM was hacked, followed by Bevolkingsonderzoek Nederland. In September, the airports of Berlin, Dublin, London Heathrow, and Brussels were targeted in a cyberattack, causing many flight cancellations.

In this article, I won’t focus on what organizations can do to prevent hacks and cyberattacks or mitigate their impact. That’s for the experts—fortunately, we have them in our Yuma group.

No, in this article, I want to focus on the often inadequate communication that follows hacks and attacks. Communication is unprepared. What stands out most is the lack of empathy. Below are three examples of how communication was handled.

Three Examples

KLM

At the beginning of August, KLM reported a data breach in a third-party system, exposing names and contact information of a total of six million (!) passengers. Although no credit card details or passwords were stolen, vigilance is still necessary because this information can make phishing emails more convincing and effective.

At first glance, it’s a neat email with the correct information. Yet, I simply miss an empathetic opening. I always tell my children to say sorry first if they hurt someone, even by accident. I also tell them to take responsibility themselves instead of immediately pointing fingers at others—as KLM does in the second paragraph, before clarifying what was or wasn’t stolen.

What’s also disappointing is that the reader is referred to the KLM Customer Contact Center at the end. That makes it feel distant. A more personal approach, with a promise of more information soon, would have been better.

Bevolkingsonderzoek Nederland

The data breach at Clinical Diagnostics NMDL, the supplier for Bevolkingsonderzoek Nederland, affected over 700,000 participants in the cervical cancer screening program. Highly sensitive data such as names, addresses, birthdates, social security numbers, gender, and GP names were stolen—enough for identity theft. Even the highly personal test results were compromised. They chose to inform all 941,000 participants since 2017 via a letter.

Like KLM, the letter is neatly written. The acknowledgment that they “find this terrible” and can imagine the “questions and uncertainty” it causes is good. Yet, again, there’s no apology. It’s also very quickly stated that everything is now safe. At the time of writing, this seems premature and certainly not fully credible for someone who has just learned that very personal information has been stolen.

Furthermore, the advice to “stay alert […]” is very brief considering the severity of this breach. They refer to a generic FAQ page, an anonymous mailbox, and a phone number—this could also have been more personal.

Brussels Airport

The cyberattack on the airports was ransomware targeting software from Collins Aerospace, used for self-check-in at the airport. Previous notable ransomware cases include Maastricht University (2018), MediaMarkt (2021), and the KNVB (2023). In several instances, a substantial ransom was paid.

Many flights were still canceled last weekend. People waiting for vacation or business trips couldn’t travel. Russian interference was even suggested. People were worried and frustrated. On the screen it said: “If your flight has been canceled, please leave the airport,” followed by: “Your airline will contact you about your options. Thank you for your cooperation.” What I read as: “Don’t call us, we’ll call you… bye!”

Of course, it’s difficult to formulate a good message for an incident that is inherently unpleasant. But it also seems unprepared, without a crisis communication playbook. Since all organizations know that such cyberattacks and hacks are inevitable, it makes sense to have tested and ready-to-use texts, combined with better direct and personal communication.

What Works

Rule #1 in crisis management is: control the narrative. Take control. Stay connected with those affected. It’s the best way to turn a crisis into more engagement and connection with your audience.

I personally had to manage a data hack as Head of Communications at an international school. The key was continuous openness and honesty—always one step ahead of the press or rumor mill. This was greatly appreciated: the NPS score for communication and community engagement even rose from 7 to 8.8. A crisis can actually create more trust and connection if you dare to be open and vulnerable.

Coca-Cola: How Vulnerability Restores Trust

A strong example was Coca-Cola in Belgium (1999). After children became ill from bottles and cans, tens of millions of products were pulled from shelves, and the brand made front-page news for weeks. Initially, Coca-Cola made the classic mistake: responding too late and defensively. But then they handled it well: openly apologized, had their processes audited, and invited people to see for themselves that everything was safe again. Through public campaigns, tastings, and personal communication, they gradually regained trust.

The lesson: show vulnerability, take responsibility, and actively seek connection.

Sideline Commentators

Of course, it’s easy to criticize the organizations mentioned from the sidelines. They’ve had a tough time and likely worked hard to reassure and assist their customers. Perhaps they even prevented worse outcomes. But my simple observations and advice could help them—and other organizations—communicate with more empathy and user focus. Everyone has plenty of time to prepare for this. You can start now, and there are more than enough experts to assist.

My call: don’t wait until it happens—because it will happen, you just don’t know when. Good communication is crucial to helping people. Do it well, and it can even strengthen your brand. Do it poorly… well: trust comes on foot and leaves on horseback.

The good news: at TD, we have both the experts who help organizations prevent data hacks and the communication experts ready to set the right tone in a crisis. That way, you not only avoid trouble but also build trust—especially when things get tense.

Author: Trudelies van der Poel, TD Brand Strategist and Martijn Arts, CEO Total Design