Data Breaches – It’s not if. It’s when!

Written on September 13, 2022. 10 days later, Optus.

Some years ago, I was purchasing a new road bike, all carbon fibre and unobtainium. The bike shop owner also talked me into a new helmet. His sales pitch was “you’ll need this for when, not if, you come off.” He was not wrong. I did, eventually, come off. Big time. Bruised ego, road rash, broken ribs, but a fully intact head. Which is more than I can say for the seriously cracked helmet.

In a world where everyone is collecting data on everyone else – even the taco sellers want you to order, and pay, via their App – it really is a case of when data security is breached, not if.

The pandemic and the ubiquity of the QR code has resulted in a flood of service providers driving customers online and onto Apps to execute transactions, most of which require input of personal and credit card details. What could possibly go wrong?

The answer is, quite a lot. In many cases the collected data is stored, and payment processed, by third parties. Another link in a chain of custody of sensitive information.

Are you certain that the data you are collecting, or that is being collected on your behalf, is secure? Other than general reassurances about security protocols and systems in place (most of which is indecipherable technical jargon) what tangible security measures are in place, particularly at the weakest points, being where your staff or contractors physically enter or access data?

Of the last four crisis management tasks we have been asked to assist with, three have been data breaches.

Managing a data breach is a complex task. Not only do the data security experts need to track down and plug the leak but a wide range of stakeholders, from customers to regulatory authorities to business partners and the media, all need to be sensitively communicated with and reassured that matters are (hopefully) in hand.

That requires a set of skills that are not usually held by day-to-day operating staff. Taking two important steps will help in navigating the challenges presented.

 First, assume it will happen to you and develop and rehearse a crisis management plan.

• Second, immediately you become aware of a potential breach, call in your crisis team, made up of key internal and critical external technical, communication and legal support, to work on responses and reputational protection.

The damage that can be done to corporate reputation by slow and inadequate response can be fatal. Even if the breach originated due to a failure within your organisation, if you move quickly, decisively and appropriately, you stand a good chance of minimising the damage, to you and to your customers.

In an interconnected world  where online security is continually being tested by bad actors, everyone understands that challenges may arise. It is how you respond that will determine whether you retain or lose trust.

The best way to ensure you respond effectively is to be prepared. Get a data breach crisis plan together, engage the necessary external support and rehearse.

When it does happen, move quickly to bring that team to the multifaceted task of fixing the breach, communicating with stakeholders and interested parties and rebuilding the trust that every business relies on.

RMK+Associates has long experience in preparing for and managing corporate crises, including numerous data breach incidents. We have long-standing partnerships with data security experts, we have comprehensive stakeholder management skills, and we can work closely with clients’ legal counsel to prepare for and respond to serious data breach events.

Are you ready?

Just in case you think we may be overstating the risk, here are only a few examples of recent cases that have created chaos:

Optus

Huge data breach. Up to 10 million customers impacted. Optus first suggests customers should use the My Optus App to find out what is going on. Massive fail!  CEO comes out next day with an almost tearful apology and promises of further restorative action, but still can’t specify what happened or how they will fix it.

Uber

Hacker gains access to all internal system through phishing attack. All Uber email systems and team online tools shut down for an extend period.

A 2016 attack stole the details of 57 million driver and rider accounts. Uber paid $US100,000 ransom to have the copies deleted and kept the breach secret for over a year. Uber’s then security chief charged with failure to disclose the breach to regulators and is currently on trial.

APT Travel Group

Attack takes down all booking systems and compromises data. Company refuses to confirm that it paid a seven-figure ransom to unlock its systems and recover data.

DoorDash

Phishing attack exposes customer data including partial payment details. Company has to cut off access to some third-party vendors and re-engineer its security protocols

International Committee of The Red Cross

Hackers gain access to personal data of more than 510,000 people worldwide. ICRC did not detect the breach for 70 days. Impacted servers taken offline for an extended period. Compromised data not recovered.

Toll Group

Suffers two attacks in one year, shutting down various elements of their online customer services and compromising customer data. Attackers demand a ransom, Toll refuses, endures weeks of disruption.

Social media. How hard can it be?

Not so long ago a global fashion brand, you may have heard of them – Dolce & Gabbana, thought it would be a good idea to scare up some social media buzz for their upcoming Shanghai fashion show by posting some Chinese specific videos.

The posts depicting a beautiful Chinese model being taught to eat Italian food with chopsticks. One, in which she attempts to eat an oversized cannoli, included the comment: “Is it too big for you?”

No prizes for guessing what happened next.

During the ensuing outrage one of the iconic fashion duo, Stefano Gabbana, engaged in an unfortunate exchange with a fashion journalist, during which he used the poo emoji to describe China.

The big show in Shanghai was, unsurprisingly, cancelled, only hours before the curtain was due to rise.

What does this tell us? Clearly, commercial use of social media really hurts when you get it wrong.

The factis, a brand that lives in an industry that relies on social media can get it so wrong is a warning to all brands seeking to build a following to spruik their wares.

Social media may be a great medium to engage directly with customers, but it is unfiltered, un-curated and unregulated. The slightest miss-step will get magnified. Once that happens trying to get your brand out of the mire will most likely create even more attention, none of it good.

Fashion brands and fast moving consumer goods can ill-afford to ignore social media. For some a lack of presence on social platforms would be an existential threat. But for many companies and brands social media engagement is not quite as critical, yet many over-invest in engaging on multiple platforms with many content entry points. All increasing the risk of something going very wrong.

We may bemoan the ‘oversensitivity’ of the audience and the sensationalising of otherwise ‘small’ issues by the new and old media, but that is the world in which we do business. Controlling the message and minimising risk should be paramount.

For any sensible brand a ‘social media strategy’ should not mean broadcasting across all possible platforms. It should mean carefully considering who you want to engage with, why it’s of value in the first place and who will control the brand messages. What seems like a good idea at a ‘brainstorm’ should always be put through the filter of who may possibly take offence?

In the end, sometimes less is more.

As for Dolce & Gabbana, their clothes were removed from a multitude of Chinese on-line retailers and their access to the largest fashion market in the world is yet to recover.

Instant feedback is going to get you – a cautionary lesson

One of the most damaging and cringe-worthy moments in the Ardent Leisure response to the deaths at Dreamworld was the sight of Ardent CEO, Deborah Thomas, live on-air asserting that that a family had been contacted when she was seemingly not in possession of the full facts.

She was asked if the company had reached out to the mother of the two adult siblings who died on the Thunder Rapids ride. She said they had.

When told that one of mothers, Mrs. Dorset, was watching and had told the journalist who had asked the question that no one from the company had actually contacted her, Ms Thomas then change her statement to say that the company did not know how to contact Mrs. Dorset. The reporter then gave Ms. Thomas Mrs. Dorset’s mobile number.

Crisis management lesson: When fronting the media and you are not absolutely certain of your position don’t try to muddle through. If you have not done something yourself don’t assume it has been done and state it as a fact. If you don’t know or are not sure, say you don’t know or are not sure. That may not be the best outcome, but it’s better than getting it wrong because today’s instant media feedback loop will catch you out and make you look a fool, or worse.

How hard can it be?? The transition from print to digital

The two leading Fairfax Media properties for decades were The Age and The Sydney Morning Herald. And didn’t advertisers know it.

Often referred to as being ‘rivers of gold’ the spend on advertising in their voluminous publications were the stuff ad rep’s dreams are made of.

That was then. Now, both papers have been reduced to wafer thin tabloid-sized weekday editions with virtually no advertising and barely a page of classifieds or public announcements.

There could be no better demonstration of Fairfax’s fall from grace than the post AFL Grand Final edition of The Age. Made up of only 40 pages, 13 of which were sport, and carrying only two half page colour ads.

So how hard could it have been to get so few ads right? Apparently too hard. The Age ran an ad from Western Bulldogs supporters,  University of Victoria, congratulating them on a fine season and a great effort despite not winning the flag.

Notice anything unusual? The Age’s ad department clearly did not.

One mistake isn’t the be-all-and-end-all but it’s not just one mistake. Industry insiders tell us that there is a constant stream of similar mistakes that, in most cases, are only picked up once the client or agency puts in a call.

Fairfax has all but given up the ghost on print and, it would appear, allocated resources elsewhere. They are focussed on online content but even there questions abound. The content deal with the Huffington Post has opened them to the accusation of becoming nothing much more than ‘click-bait’ focussed. And the recently revamped online editions for the leading mastheads do little to disprove that theory.

Fairfax’s mismanagement of the transition to digital has left fertile ground for more agile competitors. Witness the arrival of The Guardian with a digital only Australian edition.

Companies and organisations are faced with an increasingly segmented media landscape. There is now a combination of online ‘broadcasters’ and digital ‘narrowcasters’ that businesses need to work with in order to get their messages through to their target audience. A ‘publish and pray’ media release will not do the job. Actually, it never really did.

It is a rapidly changing and evolving media environment and RMK+A harnesses its media expertise to continually review the risks and opportunities for its clients’ media engagement needs.