- Security TWENTY
- Women in Security
What can we learn from corporate responses to the world’s biggest security breaches? asks James Hall, Commercial Director of the software firm Striata UK. Put communication at the heart of your response plan, he advises.
Over the past few years, data breaches have become increasingly common and have affected a great many high-profile organisations. In 2019 alone, Flipboard, Facebook, and Toyota have all fallen victim to high-profile breaches. At the same time, others are facing the consequences of earlier breaches. Most notably, British Airways is facing a record £183m fine for a breach that happened in 2018. Data breaches are also becoming increasingly expensive, with costs to UK companies increasing 41pc in a single year.
One way of mitigating both the impact and cost of data breaches is through effective customer communication. Customers who are promptly notified of a data breach – as is required by the EU’s General Data Protection Regulation (GDPR) – are much more likely to forgive the affected organisation. With the stakes so high, it’s worth seeing what lessons can be learned from how the companies at the centre of some of the world’s biggest data breaches managed their customer communication.
Between 21 August and 5 September 2018, British Airways fell victim to the biggest data breach in its history, with the personal information of some 380 000 customers compromised by the attack. As details of the breach emerged, the airline appeared to scramble. Its first port-of-call was to send out a tweet with a link to information about the breach, before speaking to media and sending out an email to its customers. The company’s social media team also responded to consumers’ questions and concerns on Twitter.
While the overall response seemed comprehensive, some customers were still aggrieved that they found out about the breach on Twitter, or in the media, rather than via any direct communication. That’s understandable. Remember, people expect organisations to communicate with them on the channel that they’re most comfortable with.
Properly coordinated, British Airways could have put out a cross-channel response, covering all its bases. While it undoubtedly would’ve still faced damages as a result of the breach, its impact may well have been mitigated to a much greater extent.
When hotel group Marriott fell victim to a massive data breach in late 2018, it made sure to warn customers. Trouble is, the way it did so would’ve looked suspicious to any customer with even a bit of security nous.
Notifications were sent out from “email-marriott.com”. As TechCrunch notes, that address is registered to a third party firm, CSC, on behalf of the hotel chain giant. Unfortunately, that fact was buried in a note on Marriott’s data breach notification site. It didn’t help that the domain didn’t load or have an identifying HTTPS certificate and was therefore easily spoofable.
The incident, which mirrored many of the issues of the response to the Equifax hack a year earlier, was an important reminder for organisations to host breach information on their own websites and all other verified social media accounts.
And, when customer communications are sent out, to ensure that they have the same look and feel as any other sent out by the organisation.
In June 2018, family history site MyHeritage fell victim to a breach in which the email addresses and passwords of 92.3 million of its users were leaked.
In the wake of the breach, it posted all the relevant information on its website and provided regular updates on its blog. It detailed what happened, what data had been affected, and what measures were taken to mitigate the impact. It also gave users exact instructions on what to do to protect their accounts and made a customer support team, which could be contacted via email or phone, available 24-hours-a-day. The day after the breach was announced, it also forced all users to change their passwords, further limiting the impact.
Facebook has suffered two major data breaches in the past two years. The first, in 2018, allowed attackers to access the personal data of more than 50-million users. The second, in May this year, allowed bad actors to install spyware on WhatsApp users’ phones with a simple missed call.
Facebook’s response to the first was described as “muddy” by CNBC, while Business Insider described the second as “sluggish” and that it hadn’t learned “from catastrophic errors in the past”.
The response to the second incident appeared to be especially ill-handled. Most users found out about it through a Financial Times article. And when an update eventually came through, it mentioned nothing about WhatsApp. There were also no direct notifications sent to WhatsApp users telling them that their data may have been compromised, no direct prompts to update the app, and no blog post outlining the issue.
While Facebook is big enough that these issues haven’t had a major impact on its bottom line, they’re having a compounding effect on its reputation. Unless it makes efforts to change that, it will eventually feel the impact. Ultimately, what all these responses show is that customer communication should be at the heart of every organisation’s breach response plan.
Security breaches that compromise customer data almost always negatively affect customer confidence. In order to regain that confidence, it’s vital that organisations get information out as quickly as possible – either as reassurance or as notification that their personal information has been breached, and what they should do about it.
To achieve this, organisations should plan and practice their response before it’s needed. A clear plan of action, including having communication templates waiting and approval workflows mapped out, will go a long way to ensuring that the organisational response is calm, informative, and factual.
About the author
James Hall is the Commercial Director for Striata UK. He has more than 20 years’ experience in a range of technology-based roles; most have involved some form of transition to a digital solution. His expertise extends across the fields of product management, project management, account management and sales.