You have a moral (and often a legal) obligation to notify anyone that has been put at risk of harm,by the cyber attack you have suffered. You also normally have an obligation to offer protection, if only to retain the goodwill of your key stakeholders.
Even if you are certain that financial data such as credit card numbers have not been stolen, a data breach can put your customers and staff at risk of phishing and other forms of credit fraud.
Various organisations can be employed to identify and limit the damage from such criminal activity. There is a strong argument though that mere Credit Monitoring services don't really help consumers, and are merely a PR exercise for the breached organisation.