Data breached is consumer trust breached – potentially permanently
Many brands roll out the red carpet when selling to consumers or hiring employees, only to shut up shop when they’ve had a data breach and people need answers to important questions about their personal information.
Nothing destroys reputation and trust more effectively. I should know, I have worked as a crisis management consultant on around 100 of them.
This is especially important as cyber incidents are now a real, lived reality in Australia. In 2024, a staggering 1,113 notifiable data breaches were reported to the Office of the Australian Information Commissioner (OAIC). This marks a 25 per cent increase on the previous year, and the highest number of breaches reported since the Notifiable Data Breaches Scheme was introduced in 2018.
These incidents continue to affect millions of Australians – some multiple times – all of whom are trying to protect to the security of their personal information. But how do they affect the reputation of the organisations which suffer the breach?
To understand the impact more effectively, we spoke to a sample of Australian consumers and C-suite executives to understand what people expect during a data breach (and what executives think they expect). Our research, produced in collaboration with Hall & Wilcox lawyers and Quantum Market Research, reveals a clear disconnect between what consumers expect and what businesses believe they need to deliver.
Our study shows 58 per cent of Australians are more concerned about the security of their personal data than they were five years ago, and three-quarters now say privacy matters more than convenience when using online services – and only 20 per cent of Australians believe organisations are doing enough to protect their data, down from 41 per cent two years ago.
This heightened awareness means each new breach lands harder, fuelling scepticism over whether organisations can be trusted to protect what matters most.
This gap between what organisations say and what people feel is the story of cyber response in Australia right now.
Business leaders agree transparency is expected, but only half think they need to go beyond the legal minimum to deliver it. In other words, leaders are promising openness, but consumers aren’t getting it…and they aren’t buying it. Only two per cent of Australians say they will trust an organisation which communicates the bare minimum after a breach – almost no one believes them.
Australians aren’t naïve. They know breaches happen. They know cyber criminals and state-sponsored threat actors are good and getting better.
What they’re judging is what organisations can truly control – how they respond – and their verdict is that speed, clarity and empathy matter far more than boilerplate compliance statements.
You may be wondering if people really care anymore. Has “breach fatigue” set in? The answer is that the human impact is real. Nearly half of those affected reported emotional distress, and one in 10 needed time off work to deal with the fallout from a breach – replacing their driver’s licence, tax file numbers or passports. For many people, having your mobile number and home address published online is a traumatic event.
Younger Australians are vocal about wanting clear, practical guidance. Forty-three per cent of those aged 18–29 said organisations failed to provide them with steps to protect their data after a breach. Older Australians, meanwhile, feel most vulnerable: more than half of those aged 65+ said companies didn’t do enough to protect them from harm.
These insights underscore that expectations aren’t just higher overall. They differ across demographics, placing importance on tailored, empathetic communication.
Data breaches are no longer a matter of “if” but “when.” For business leaders, the real test is how quickly and credibly you respond. What once passed as “timely” (releasing a statement weeks after an incident) is now seen as silence. Today, trust can be lost in hours.
Meeting only the bare minimum of legal obligations won’t cut it either. Stakeholders expect accountability and care. That might mean bringing in independent experts, offering support to those affected, or creating clear channels of communication to show you take the issue seriously.
Above all, the response must be human. A breach isn’t just about compromised data; it’s about the people impacted. Speaking like a person, not a policy, and providing accessible help shows empathy, and that empathy is not only decent, but strategic. Customers, employees, and donors forgive brands that show care. They abandon those that don’t.
The question isn’t whether your organisation will face a breach, but whether you’ll be ready to meet and exceed stakeholder expectations when it happens.
A crisis becomes an opportunity to prove to customers, members, donors or employees that you are worthy of their trust.
Firewalls can be rebuilt, but once reputation is lost, it’s far harder to recover than a stolen password.
– Lauren Clancy, Client Partner, Cyber & Technology Lead – Porter Novelli Australia