It's 3am. Your on-call engineer just confirmed: your database was accessed by an unauthorized party. Customer data may be exposed.

In the next 72 hours, your support team will handle more volume, higher emotions, and higher stakes than any other period in your company's history. How you handle it determines whether customers stay or leave, whether the press story is "company handled breach well" or "company made everything worse," and possibly whether regulators decide to investigate.

Most companies have incident response plans for the technical side (contain the breach, assess the damage, patch the vulnerability). Almost nobody has a plan for the support side: what to tell customers, when, through what channel, and how to handle the thousands of panicked messages that will hit your inbox.

Hour 0-6: Contain and Prepare

Your support team can't help customers until they know what happened. The first priority is getting accurate information from the security/engineering team.

What your support team needs to know before responding to anyone:

What data was potentially exposed? Emails only? Passwords? Payment info? The answer changes the severity and the guidance.

Were passwords hashed? If yes, the risk is lower. If no (or if they used a weak hashing algorithm), customers need to change passwords immediately.

Was payment data exposed? If credit card numbers were stored in plain text (which they shouldn't be), customers need to call their banks. If payment was handled by Stripe or a similar processor, the card numbers likely weren't in your database at all.

How many accounts were affected? All of them? A subset? Knowing the scope lets you target communication.

Is the breach contained? Are the attackers still in the system? You can't tell customers "you're safe now" if you're still actively compromised.

Get this information before opening the inbox. The worst thing your support team can do is respond to panicked customers with "we don't know yet." Silence with a status page update is better than uninformed replies.

Hour 6-12: The First Communication

Send a proactive notification to all affected users before they hear about it from the press or social media. The notification should be:

Honest about what happened. "On [date], we discovered unauthorized access to our database. An investigation is ongoing." Don't minimize. Don't use phrases like "a small number of accounts" if you don't know the number yet.

Specific about what data was involved. "The exposed data includes email addresses and hashed passwords. Payment information was NOT stored in our database and was not affected." Be specific about what was and wasn't exposed.

Clear about what customers should do. "As a precaution, we recommend changing your password. If you used the same password on other sites, change those too." Give concrete actions.

Honest about what you don't know yet. "We're still investigating the full scope. We'll send an update within 24 hours." Don't promise certainty you don't have.

Include a way to reach you. "If you have questions, our support team is available at [email/chat]. We've added extra staff to handle the volume."

Hour 12-48: The Flood

After the notification goes out, your support volume will spike 10x to 50x above normal. Every message falls into one of a few categories:

"Was my account affected?" Most common question. If you can check per-account exposure, do it. If you can't, be honest: "We're still determining which specific accounts were accessed. As a precaution, we recommend..."

"What should I do?" Provide clear, specific steps. If passwords were exposed: change password, enable 2FA, change the same password on other sites. If payment data was exposed: monitor bank statements, consider a credit freeze.

"Is my data on the dark web?" You probably can't answer this. Be honest. "We don't have visibility into that. We recommend monitoring your accounts for unusual activity."

"I want to delete my account." Respect this immediately. Don't argue. Don't try to retain them. Process the deletion and confirm. They may come back later. If you fight them now, they never will.

"I'm going to sue." Route to your legal team. Don't respond with anything substantive. "I've forwarded your message to our legal team, who will respond directly."

AI During a Breach

This is one of the scenarios where AI support shines brightest. When volume spikes 20x, your human team of 5 can't handle 1,000 messages. AI can.

Set up a breach-specific auto-response. Every incoming message during the incident gets an immediate classification. If it's breach-related (and almost all of them will be), AI sends the standard breach response:

"We're aware of the security incident reported on [date]. Here's what we know so far: [summary]. Here's what we recommend you do: [steps]. We'll send another update by [time]. If you have a question not addressed here, reply and a team member will respond."

This handles 60 to 70% of incoming messages. Customers get immediate information instead of waiting in a queue. Your human team focuses on the complex cases: account-specific inquiries, deletion requests, legal threats, and press contacts.

Supp can be configured to route breach-related intents to a specific response template during an active incident. Classification happens in under 200 milliseconds, which means the customer gets the breach information in seconds, not hours.

Hour 48-72: The Update

Send a follow-up communication with new information. Even if the information is "the investigation is ongoing and we haven't found additional impact." People want to know you're still working on it.

Include any new protective measures you've taken. "We've implemented additional monitoring, required password resets for all accounts, and engaged a third-party security firm to audit our systems."

If you've determined the exact scope, share it. "Our investigation confirmed that 12,000 accounts were affected. We've notified all affected users individually."

After the Breach

The breach response doesn't end when the incident is contained. The trust repair takes months.

Publish a post-mortem. Not a PR statement. A genuine technical post-mortem that explains what happened, why it happened, and what you changed to prevent it. Transparency rebuilds trust faster than anything else.

Offer something. Free credit monitoring if financial data was exposed. Free upgraded security features (2FA, security keys). An extended trial or service credit. The specific offering matters less than the gesture.

Monitor support volume for 30 days after. Breach-related questions will trickle in for weeks. Customers who missed the notification, customers who are just now checking their accounts, customers who read about it in a late news article.

Keep the breach response template active in your AI classification for at least 30 days. Any message mentioning "breach," "hack," "security," or "data leak" should still get the updated response with current status and recommended actions.

The companies that survive breaches aren't the ones that never get hacked. They're the ones that respond fast, communicate honestly, and make it easy for customers to protect themselves. Your support team is the vehicle for all three.