Minding your own business, the phone rings and the anonymous caller tells you that your web application has been hacked from the customer side and you are leaking customer and user data. The person on the phone refuses to self identify and is never heard from. Now what?