Data Breaches – It’s not if. It’s when!

Written on September 13, 2022. 10 days later, Optus.

Some years ago, I was purchasing a new road bike, all carbon fibre and unobtainium. The bike shop owner also talked me into a new helmet. His sales pitch was “you’ll need this for when, not if, you come off.” He was not wrong. I did, eventually, come off. Big time. Bruised ego, road rash, broken ribs, but a fully intact head. Which is more than I can say for the seriously cracked helmet.

In a world where everyone is collecting data on everyone else – even the taco sellers want you to order, and pay, via their App – it really is a case of when data security is breached, not if.

The pandemic and the ubiquity of the QR code has resulted in a flood of service providers driving customers online and onto Apps to execute transactions, most of which require input of personal and credit card details. What could possibly go wrong?

The answer is, quite a lot. In many cases the collected data is stored, and payment processed, by third parties. Another link in a chain of custody of sensitive information.

Are you certain that the data you are collecting, or that is being collected on your behalf, is secure? Other than general reassurances about security protocols and systems in place (most of which is indecipherable technical jargon) what tangible security measures are in place, particularly at the weakest points, being where your staff or contractors physically enter or access data?

Of the last four crisis management tasks we have been asked to assist with, three have been data breaches.

Managing a data breach is a complex task. Not only do the data security experts need to track down and plug the leak but a wide range of stakeholders, from customers to regulatory authorities to business partners and the media, all need to be sensitively communicated with and reassured that matters are (hopefully) in hand.

That requires a set of skills that are not usually held by day-to-day operating staff. Taking two important steps will help in navigating the challenges presented.

 First, assume it will happen to you and develop and rehearse a crisis management plan.

• Second, immediately you become aware of a potential breach, call in your crisis team, made up of key internal and critical external technical, communication and legal support, to work on responses and reputational protection.

The damage that can be done to corporate reputation by slow and inadequate response can be fatal. Even if the breach originated due to a failure within your organisation, if you move quickly, decisively and appropriately, you stand a good chance of minimising the damage, to you and to your customers.

In an interconnected world  where online security is continually being tested by bad actors, everyone understands that challenges may arise. It is how you respond that will determine whether you retain or lose trust.

The best way to ensure you respond effectively is to be prepared. Get a data breach crisis plan together, engage the necessary external support and rehearse.

When it does happen, move quickly to bring that team to the multifaceted task of fixing the breach, communicating with stakeholders and interested parties and rebuilding the trust that every business relies on.

RMK+Associates has long experience in preparing for and managing corporate crises, including numerous data breach incidents. We have long-standing partnerships with data security experts, we have comprehensive stakeholder management skills, and we can work closely with clients’ legal counsel to prepare for and respond to serious data breach events.

Are you ready?

Just in case you think we may be overstating the risk, here are only a few examples of recent cases that have created chaos:

Optus

Huge data breach. Up to 10 million customers impacted. Optus first suggests customers should use the My Optus App to find out what is going on. Massive fail!  CEO comes out next day with an almost tearful apology and promises of further restorative action, but still can’t specify what happened or how they will fix it.

Uber

Hacker gains access to all internal system through phishing attack. All Uber email systems and team online tools shut down for an extend period.

A 2016 attack stole the details of 57 million driver and rider accounts. Uber paid $US100,000 ransom to have the copies deleted and kept the breach secret for over a year. Uber’s then security chief charged with failure to disclose the breach to regulators and is currently on trial.

APT Travel Group

Attack takes down all booking systems and compromises data. Company refuses to confirm that it paid a seven-figure ransom to unlock its systems and recover data.

DoorDash

Phishing attack exposes customer data including partial payment details. Company has to cut off access to some third-party vendors and re-engineer its security protocols

International Committee of The Red Cross

Hackers gain access to personal data of more than 510,000 people worldwide. ICRC did not detect the breach for 70 days. Impacted servers taken offline for an extended period. Compromised data not recovered.

Toll Group

Suffers two attacks in one year, shutting down various elements of their online customer services and compromising customer data. Attackers demand a ransom, Toll refuses, endures weeks of disruption.

An Impossible Standard to Meet – or – Nobody Expects The Spanish Inquisition

By John Kananghinis

OK, fair cop. I did it.

Forty some years ago I may have broken some road rules and possibly even made an occasional comment that would, today, be considered sexist. I may even have said that something one of my fellow teenagers said, or did, was ‘totally gay, dude’.

Lucky for me there was no Twitter, or Faceplant or whatever the latest online platform for the terminally immature and narcissistic is. No mobile phones, not even faxes. There was Telex (if you remember that, you too are old) but it wasn’t really anything one could consider social media. The only social media we had was the pen and paper, and perhaps the school magazine.

So, I probably did it, but there is no record. Therefore, all good.

Not so fast. Someone else, who never liked me all that much, remembers me doing it (whatever it was) and they even have a journal, purportedly from that far distant time, that, for some unknown reason, they have kept and have conveniently just found. Coincidently, just as I’m about to announce that I would like to be the Victorian Opposition leader – well, someone has to do it.

That’s the end of that, then. No public life for me. Far to compromised and clearly of poor character. Afterall, under 18s should always be held accountable for their actions in later life. They should be perfectly aware that what they do, or say, as adolescents, will determine the course of their lives and their suitability for any position, let alone high political office, forever.

Clearly that is a ridiculous proposition. Or is it?

Forget the ongoing issues in this country, character assassination based on the behaviour of children has surely reached its apogee when the newly appointed editor of Teen Vogue, a 27-year-old black woman, is drummed out of her position on the basis of allegedly homophobic and racist slurs she Tweeted when all of 17. Oh, and also because she turned up to a teen fancy-dress party in a Native American consume.

Despite, 3 years ago, having apologised for the (rather mild) comments, the staff of Teen Vogue and two of its advertisers could not stomach the thought of working with this racist white supremacist, no, wait, she’s black, remember?

Anyway, she’s toast, on the scrap heap, far too much for the snowflakes to bear.

With biblical teaching no longer in vouge (sorry could not help that one) it’s no surprise that certain basic rules conveyed by such writings no longer apply, such as ‘Let anyone among you who is without sin be the first to throw a stone…’

I feel for the youth of today. They have no private space in which to grow up. To make mistakes, learn from them and mature. If current trends continue, they will be paying for their obsession with online existence for the rest of their lives.  Can we cut the kids some slack and, for God’s sake, take the damn phones off them, for a while?

As they say in the classics, good luck with that.

RMK+A, sadly, has experience in addressing issues raised by employee’s past and present use of social media and can assist in navigating such perilous waters.

The triple Ds no longer work

By John Kananghinis

A long time ago, in a galaxy far, far away, corporate communications practitioners were taught that in a major crisis event there were three standby tools to use when the facts were unclear and/or unpalatable. They were the three Ds – Deny, Deflect and Delay.

That is not to mislead or to lie, but to skilfully use the three Ds to move attention away from the heat of the moment, thus allowing more time to polish the final messaging and place less immediate pressure on the, sometimes hapless, spokesperson – be they PR hack or CEO.

But times have changed. Media is now an immediate feedback loop. Commentary and opinion have replaced reporting, social media allows the previously voiceless to shout and the community has become more cynical.

The old tools don’t work all that well, if at all.

The growing discontent with Victorian Premier Daniel Andrews is likely driven in equal measure by three elements, the ineffectual use of the three Ds, concern around a personal style that can appear lacking in emotional connection and just plain overexposure.

Whoever is advising Premier Andrews needs to realise this is the 21st Century. The old ways don’t cut it. They had their boss deny numerous matters (such as this is not a second wave) that he later had to recant; they had him deflect, blame shifting to certain communities, youth, workers with no sick leave, Federal Government aged care agencies, non-mask wearers etc.; they continue to have him delay by claiming not to know about fundamental matters related to the handling of the first wave, that sparked the second, and by hiding behind a non-judicial enquiry.

It makes no difference how much of this is his doing and how much is bad advice. The media and the public have in, large measure, stopped buying it and the pile-on has begun.

Further communication bungles have not helped. Inconsistent messaging about isolation while awaiting test results, advice on the wearing of face masks and use of inappropriate and ineffective channels to explain restrictions to non-English speaking communities, have exacerbated the feeling of loss of control and of constantly playing catch-up.

Eventually the Australian BS filter kicks in and people start targeting the messenger, in this case the Premier.

Just 10 years ago BP provided an object lesson in how not to deal with a crisis. While their failed well was lubricating the Gulf of Mexico, their CEO, Tony Hayward – who was pictured sailing his racing yacht around the Isle of White – first tried denial “the amount of oil is relatively tiny in comparison to the very big ocean”, he declared. He tried deflection with many and various explanations for the drilling rig’s failure; he even tried delay, by claiming he did not have all the facts, yet. Ultimately, he blew himself out of the water (could not resist that) by saying “You, know, I would like my life back too.” That sour note sank his public standing and his career.

The three Ds did not work and a lack of appropriate contrition, empathy and a suitable tone left BP as one of least trusted corporations on the planet.

The Victorian Premier would do well to learn from such mistakes. Perhaps it is already too late.

RMK+A is highly experienced in crisis communication and has assisted businesses and organisations in managing public and stakeholder relations around major events for over 30 years.

Time for the opposite of desperation marketing

By John Kananghinis

In last week’s special edition of Words + Insights we wrote about the need for businesses to stay calm and to communicate.

This week we explore how to communicate to customers, during times of crisis, in a way that will build trust by reassuring, offering value and being measured.

By now, almost everyone will have been deluged by notifications from a range of businesses advising of the measures they are taking to address the pandemic.

Too late, then, to discuss the initial salvo of communication. What of the ongoing?

As with all marketing it must be driven by addressing a customer need. Right now the customer does not need to know that you are desperate to shift product. They know. Bombarding them with desperation ‘offers’ and ‘opportunities’ will not help them cope with the unique circumstances. More than likely it will annoy.

Frankly, there are more important things to worry about than missing out on a ‘great deal’. And such an approach may also strike a particularly discordant note, as if not really recognising the situation.

Delivering customer value must orbit around the needs of the current circumstance. If a business offers an essential service, communication must be around reassurance. If not essential, there are still many ways businesses can demonstrate that they are aware of the situation and doing their bit to help.

We have already seen many stories of the repurposing of capabilities to assist in providing vital aid to the fight against coronavirus. Breweries and distilleries producing branded hand sanitiser, luxury goods brands manufacturing personal protective equipment, auto manufacturers building respirators. All positive reactions and all legitimate and appropriate topics to communicate to their customer base.

There are even tangential ways businesses can help customers meet current needs. Using connections and partners to provide practical assistance. For example, reading lists, YouTube channels or viewing lists, home cooking recipes, fitness at home ideas from linked sportspeople. The ideas are limited only by imagination.

The reality is that most businesses will face a significant fall in sales. But with the extra time customers have in front of computer screens there need not be the same drop in engagement.

For those providing discretionary products and services keeping communication going, with value-adding content, can also be an opportunity to keep building desire. Just allowing customers to view/build/configure their dream product or service is a soft sell that can be both enjoyable and diverting. Again, not trying to shove distressed product down their throats, but a distraction that may help get them through a difficult time.

In short, keep communicating, reassure, be imaginative, offer value, be relevant and don’t be a pest.

Businesses that stick to those principles will build recognition and loyalty that is sure to give them a head start when the crisis abates.

RMK+A has developed and implemented integrated communication and marketing plans for clients in sectors as varied as automotive, heavy equipment, transport and logistics, energy, tourism, waste, insurance, finance and professional services.