A cyberattack now happens every 11 seconds and chances are, your organization is next. In 2024 alone, more than 3,200 data breaches were publicly reported in the U.S., compromising the information of over 353 million people. These numbers aren't just staggering, they’re a warning: cybersecurity incidents are no longer rare, and silence is no longer an option.How an organization communicates about a cybersecurity incident can be just as consequential as the incident itself. Mishandling the messaging can erode trust faster than any threat actor could. And yet, time and again, companies continue to fumble the basics of breach response, turning a bad situation into a reputational crisis.As a cyber crisis communications specialist, I’ve seen far too many companies fumble the communications side of a cyberattack by turning a manageable event into a full-blown crisis. Here are the most common (and damaging) missteps organizations make in their cyber response, drawn from some of the most high-profile and mishandled incidents in recent years.
Instead of reporting the stolen data as required by law, Uber paid the threat actors $100,000 then tried to frame it as a routine event once it became public. It not only triggered regulatory backlash, but also made a bad cyber security incident look far worse in the eyes of the public and investors.The lesson: Trying to spin an incident as “minor” or “routine” when personal or sensitive data is involved will almost always backfire. Audiences want honesty, not corporate hedging. Downplaying impact often results in coverage that feels like exposé journalism and fuels legal consequences down the road.
Target’s initial response largely blamed a third-party vendor for the incident that impacted 40 million credit and debit cards. While the vendor connection was real, the public expected Target the brand they trusted to take responsibility and not try to place blame.The lesson: Pointing fingers, especially early on, looks defensive and disingenuous. Even if a vendor or partner introduced the vulnerability, it’s your brand that customers gave their data to. Own the issue, then explain how you’re fixing it.
Too often, companies issue media statements that sound like legal disclaimers: vague language, no empathy, and heavy on liability shields. These cold, corporate statements might reduce legal exposure in the short term, but they escalate reputational damage in the long run.The lesson: The public doesn’t want legalese. They want reassurance. The most effective statements speak to humans, not regulators. You can maintain legal integrity while still expressing accountability, compassion, and a commitment to fix the problem.
It’s one of the most damaging and common mistakes: making definitive claims early in a breach that later turn out to be false. Phrases like “no sensitive data was accessed”or “we’ve contained the situation”are often issued in the first 24–48 hours, only to be reversed when forensics teams complete their analysis. The lesson: In the early hours of a cyber incident, you don’t know what you don’t know. Avoid making statements thatoverpromise or understate. It’s better to say “we are still assessing the full scope” than to declare something you may have to publicly correct. Walking back a statement not only damages credibility, it raises questions about your honesty, your competence, or both.The bottom line is that no organization is immune from cyber threats. But every organization can choose how to communicate when they happen. The worst responses are driven by fear of legal risk, reputational loss, or public scrutiny. The best responses are driven by values: responsibility, honesty, and respect for those affected.If your crisis plan starts and ends with IT, you're not ready. The next cyberattack may be inevitable, but the communications failure that follows it doesn’t have to be.
1. Downplaying the impact
Uber (2016, disclosed in 2017)Instead of reporting the stolen data as required by law, Uber paid the threat actors $100,000 then tried to frame it as a routine event once it became public. It not only triggered regulatory backlash, but also made a bad cyber security incident look far worse in the eyes of the public and investors.The lesson: Trying to spin an incident as “minor” or “routine” when personal or sensitive data is involved will almost always backfire. Audiences want honesty, not corporate hedging. Downplaying impact often results in coverage that feels like exposé journalism and fuels legal consequences down the road.
2. Playing the blame game
Target (2013)Target’s initial response largely blamed a third-party vendor for the incident that impacted 40 million credit and debit cards. While the vendor connection was real, the public expected Target the brand they trusted to take responsibility and not try to place blame.The lesson: Pointing fingers, especially early on, looks defensive and disingenuous. Even if a vendor or partner introduced the vulnerability, it’s your brand that customers gave their data to. Own the issue, then explain how you’re fixing it.
3. Sending legal to do the talking
Many, many companiesToo often, companies issue media statements that sound like legal disclaimers: vague language, no empathy, and heavy on liability shields. These cold, corporate statements might reduce legal exposure in the short term, but they escalate reputational damage in the long run.The lesson: The public doesn’t want legalese. They want reassurance. The most effective statements speak to humans, not regulators. You can maintain legal integrity while still expressing accountability, compassion, and a commitment to fix the problem.
4. Failing to prepare the front lines
Marriott (2018)After disclosing that 500 million guest records had been compromised, many Marriott locations and call centers were caught off guard. Customers who called for help reported inconsistent responses or confusion from frontline staff.The lesson: Your first responders aren't just IT or PR, they’re your customer service teams. If they don’t have talking points, FAQs, or a coordinated script, you’ve created another crisis, this one in communication. Internal alignment is just as critical as the public message. Have your communications assets in place and make sure your internal team knows how and when to escalate an issue.5. Using technical jargon to confuse or deflect
SolarWinds (2020)While the scale of the SolarWinds was extraordinary, early communications from some affected parties included dense technical jargon and evasive references to “nation-state actors,” which didn’t help affected clients or the general public understand the risk.The lesson: Using complicated language to appear competent can have the opposite effect. It confuses stakeholders and invites speculation. Communications should clarify, not obscure. Plain language builds trust. Buzzwords and ambiguity break it.6. Making claims you later have to walk back
Too many to countIt’s one of the most damaging and common mistakes: making definitive claims early in a breach that later turn out to be false. Phrases like “no sensitive data was accessed”or “we’ve contained the situation”are often issued in the first 24–48 hours, only to be reversed when forensics teams complete their analysis. The lesson: In the early hours of a cyber incident, you don’t know what you don’t know. Avoid making statements thatoverpromise or understate. It’s better to say “we are still assessing the full scope” than to declare something you may have to publicly correct. Walking back a statement not only damages credibility, it raises questions about your honesty, your competence, or both.The bottom line is that no organization is immune from cyber threats. But every organization can choose how to communicate when they happen. The worst responses are driven by fear of legal risk, reputational loss, or public scrutiny. The best responses are driven by values: responsibility, honesty, and respect for those affected.If your crisis plan starts and ends with IT, you're not ready. The next cyberattack may be inevitable, but the communications failure that follows it doesn’t have to be.
