The experience from famous cyber-attacks affecting large corporations tells us that reputation is a very relevant part of their intangible assets that may be compromised because of such events. In this respect, crisis communication is a critical element for an effective recovery, especially in the wake of major data breaches affecting sensitive information of customers and stakeholders. Although the recovery from an attack always implies a strong focus on the technical measures to restore availability, integrity and confidentiality of stolen data, and ensure business continuity, the strategy to communicate with the general public and customer of the company plays a crucial role, always at risk of being underestimated. Companies and institutions cannot remain silent after an attack and should not attempt to minimize the consequences of data breaches, even if they are not yet sure of the magnitude of the attack they have suffered.
A famous story of late disclosure of a cyber-attack is the one of the pioneering Internet service provider Yahoo, who announced only in 2016 a data breach affecting over 500 million user accounts occurred at the end of 2014. Even worse, a separate data breach happened earlier in August 2013, but was reported by the company only in December 2016. The larger attack was initially believed to have affected over 1 billion user accounts; in October 2017, it came out that all 3 billion of Yahoo user accounts active at the time were somehow impacted by the attack. These breaches concerned data such as names, email addresses, telephone numbers, dates of birth, security questions and answers, and passwords. For their size, such attacks are considered the largest ever discovered in the history of the Internet. Despite this, Yahoo customers were informed years later compared to when the breaches actually occurred and many cases were reported of clients discovering that their data were being sold on the dark web, with no notification at all by the company. Among the most severe consequences of the late disclosure of the attack, there was a drastic cut of the price that the American telecom corporation Verizon accepted to pay when incorporating Yahoo in 2017.
Another striking case was that of the Target Corporation, one of the largest department store retailer in the United States, whose vendor’s network and Point-of-sale (PoS) machines where infected by hackers at the end of November 2013. The attack exposed nearly 40 million debit and credit cards to fraud and over 70 million records of personal information were stolen, including names, PIN numbers, and banking information. Although the actions taken by Target over the years to recover from short and long term consequences of the attack are reported as good practices in the history of data breaches, the initial reaction of the corporation in terms of communication with the public was inadequate. First signs of the attacks were already detected on the 27th of November 2013, but no specific reaction was put in place until the company was contacted by the Department of Justice for communications concerning suspicious activities involving the debit, credit and ATM cards that had been used in Target stores. At that moment, with the Christmas shopping season close to its peak, the company decided to hire external professionals to perform a forensic investigation into the matter, but did not disclose any official information about the attack to the media. The first public statement on the matter arrived only on the 19th of December, the day after an independent security researcher and blogger, Brian Krebs, posted some information regarding a possible breach of the Target network. The statement was actually a quite late attempt to defend the reputation of the company towards its customers.
Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores. Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.
(…) Target’s first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause,” (…) “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.
In fact, a large number of customers had actually learnt about the breach from the media rather than from the company. Therefore, many negative accounts about Target customer services were already flooding the social media, making much harder the following effort of the corporation to restore the confidence of its clients.
It is worth noting that adequate communication strategies in the cyber-security field have now become necessary also as a result of introducing the new General Data Protection Regulation (GDPR) in Europe. According to the GDPR, companies storing large datasets of customers’ sensitive information are obliged to notify any data breach incident within 72 hours upon discovery. Art.83 of the Regulation has introduced specific administrative fines for any lack of notification to the competent authorities in this timeframe. In making the public disclosure of data breaches mandatory, these new obligations are a strong incentive for companies to work at the planning of solid communications strategies to minimize the reputational damages that may derive from a cyber-attack.
The problem of planning effective communication strategies is a well-known one in crisis management and resilience engineering literature, where the topic has been addressed in contexts different from cyber-security. Public institutions and companies dealing with the management of a crisis should pay particular attentions to aspects such as:
- Being able to manage different communication channels;
- Making sure to have the necessary in-house competences to manage these channels, with special reference to the social media;
- Ensuring clarity and accessibility of the communication;
- Communicating in a way to facilitate acceptability and trustworthiness by the general public;
- Preventing misinformation spread by non-official communication channels;
- Ensuring adequate capabilities to listen and collect feedback from the public.
Examples of guidelines concerning communication strategies for interacting with the public have been developed in the context of the H2020 DARWIN project dealing with Resilience Management Guidelines for Critical Infrastructure Organizations. They have been made available on a Wiki platform addressing several business continuity topics, including the guidelines for the communications with the public.
Not providing information or not communicating properly during a crisis may not only expose to fines under the GDPR, but also lead to reputational damage, and therefore economic loss, for companies worldwide. Best practices for crisis communication and compliance to the GDPR will be a topic of our next workshop on “Insurance in Cyber-security”, to be held in March in Milan (Italy): keep following us for updates.
This article has been written by project member Deep Blue. Deep Blue is a human factors specialised company focused on improving performance, safety and dependability within the companies, whose analysts, trainers and experts solve the world’s most complex human-machine interaction problems with rapid returns of investment.