When Cybercrime Gets Physical

Home addresses can't be reset like a password, and digital breaches increasingly turn physical.
Scott McCrady

Scott McCrady

Scott McCrady

,

CEO

,

SolCyber

June 10, 2026

CISOs fall into two categories. Either you have already written to customers about a data breach, or you have rehearsed what you would say if it happened. Either way, most organizations get the communication wrong.

The instinct is to be reassuring. Breach notifications routinely include phrases like "we take your security seriously" — which, given the circumstances, says rather more than intended. The email exists because security failed. Stating otherwise is not reassuring. It is insulting.

A second common mistake is reassuring customers about what was not stolen. Many breach notices emphasize that payment card data or social security numbers were not compromised. This is meant to comfort people. What it actually does is signal that the organization has a hierarchy of sensitivity and home addresses sit lower on that list than they should.

That assumption is wrong, and increasingly dangerous.

It is already happening. Call-center scammers impersonate bank representatives, extract enough personal information to identify vulnerable customers, and then direct criminal affiliates to those customers' front doors to physically coerce them into handing over their bank cards. The breach is digital. The harm is not.

A home address cannot be cancelled and reissued. It is not a credential that resets. For someone who has been stalked, threatened, or is fleeing a domestic situation, exposure of their address is not an inconvenience, it is a safety event.

What This Means in Practice

Treat home addresses with at least the same seriousness as payment card data. If your data is breached, say what happened clearly and without spin. Do not catalogue what was not taken; account for what was.

If you do not need to retain an address after a transaction is complete, do not. Default to deletion. If customers want you to store their address for future convenience, let them choose that explicitly, do not make retention the default.

And if you have had a breach: be honest, be specific, and be useful. Your customers are not looking for reassurance that you care. They are looking for accurate information so they can protect themselves.

The best breach notification is the one you never have to send. That starts well before the incident, with what data you keep, how long you keep it, and how quickly you know when something has gone wrong.

Continue Reading
Access the entire report with exclusive data and actionable insights from your peers.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Hear From Our Community

Tool and strategies modern teams need to help their companies grow.

View All
How Startups Can Leverage Sagetap
Announcements

How Startups Can Leverage Sagetap

Hear what Stephen Burton, former CMO of Bionic (acquired by Crowdstrike in 2023), says about his success using Sagetap.
June 6, 2024
Ravi Nori, Sr. Director of Cloud & AppSec at Gopuff
Spotlights

Ravi Nori, Sr. Director of Cloud & AppSec at Gopuff

"Sagetap organizes the vendor discovery process for me. We've POC'ed three products so far."
March 1, 2024
Descope
Founder Stories

Descope

The founders of Descope are not just redefining authentication protocols but shaping the future of digital applications.
February 13, 2024

Get Started

Join over 4,000+ startups already growing with Sagetap.

Get Started