So you’ve had a data breach. Don’t worry, it’s not just you. These days it happens to everyone, no matter how large or small your company is. It’s almost inevitable, some might say, and not a case of if but when.
A lot is already out of your control. Whether a hacker broke in and stole customer data or someone on staff left a cloud server exposed without a password, the incident alone is bad enough. But then you’ll also face a stream of headlines, flack from your customers, and endless tweets and social media posts. Trust will invariably suffer, your brand will hurt, and recovery seems like a million miles away.
But as breaches become more commonplace, few companies remember the actual incident itself — or even the number of users or customers affected. No matter what kind of security incident you’re thrown into, what happens afterward is how you will be remembered.
Get it right, you can save face. Get it wrong, and you’ll never live it down. Here’s what not to do when you have a data breach.
Don’t try to cover it up
Two words: Own it.
Full disclosure is as important for your company as it is for your customers. Assuming — as is often the case — that customer data has been stolen, you need to tell your customers. People will need to take proactive measures to protect themselves, like getting new credit cards, changing their passwords, or even deleting their accounts. Companies also have to comply with a range of laws and regulations — from Europe’s GDPR to California’s incoming privacy law and every U.S. state’s data breach notification rules.
A lot of information will be coming out — from researchers to reporters — and owning it will help you take control of the situation.
“During security incident response activity, especially when a data breach is involved, companies tend to feel an immediate urge to obfuscate the core issue, blame the messenger, bury news of the incident, and generally sweep the whole thing under the rug,” said Chris Vickery, director of cyber risk research at security firm UpGuard.
Vickery, who has found countless sets of exposed data over the years, said it’s better to deal with an incident while it’s fresh. If it’s not dealt with at the time, an incident can have a material impact when there is a management change or your company gets bought. Just look at the Yahoo-Verizon deal, which saw Verizon (which owns TechCrunch) knock $350 million off the buying price for Yahoo after two major data breaches were revealed during the acquisition process.
“More and more often these kinds of situations are being dredged up during the due diligence investigation phase of large mergers and acquisitions,” said Vickery. “You don’t want to be further explaining a data security incident months or years down the line to a potential acquirer whose confidence in your answers could shave a few zeros off the end of a proposed sum.”
Yet another example came when, in 2018, Marriott said its Starwood subsidiary’s guest database was hacked as far back as 2014. The revelation sent investors scrambling to understand how Marriott missed this massive data theft during its merger proceeding in 2016. Marriott ended up landing a $123 million fine from U.K. authorities for a breach that happened long before the merger.
“Be upfront when the incident happens, be straightforward,” said Vickery. “Put out the kinds of information and statements that fully answer the issues at hand not only during a crisis, but will still answer, and allay, concerns months down the line to anyone who may only at that point have questions,” he added.
It’s better to admit fault than get caught later — and you will.
Don’t hide, obfuscate, or lie (seriously, don’t lie)
Image via Getty Images / zimmytws
Companies — particularly larger startups — will do anything they can to minimize the damage from a breach, and that can include pulling some dirty tricks.
You might be surprised at how often it happens. Whether it’s deliberately hiding the breach, lying to customers, or just staying schtum and leaving everyone else to wonder.
As someone who has covered data breaches for years, there have been countless times a company has failed to take responsibility or threatened to sue. One job recruitment company that recently left one of its user databases online without a password launched into a tirade on the phone, denying a data breach and threatening to sue if we reported it.
After we provided a portion of the data, the company’s chief executive admitted the security lapse.
StockX is a great example of not how to handle a data breach. We received word that the apparel trading site had sent out a password reset email claiming it had undergone “system updates.” Days later, we obtained a portion of the company’s user data. We verified the findings and confirmed the company had been hacked.
Yet the company continued to ignore our emails. It was only after we published the news that the company admitted it had a data breach. Users were rightfully angry — not at the breach itself but at what some described as a cover-up.
Not being open and transparent with your users hurts them — and it can turn into a regulatory nightmare for your company.
Don’t say you were hacked if you weren’t hacked
Security incidents can be varied and complicated.
There are some distinctions between a breach and an exposure. Exposures happen when data is left unprotected or online without a password, allowing anyone to find it. Breaches often involve breaking through one or multiple layers of security.
In other words, breaches are typically caused by someone outside of the company.
But some companies like to play the blame game even when it’s their own fault. Why? It makes them look less culpable for a security lapse of their own doing.
Don’t play the blame game, says Emily Wilson, vice president of research at Terbium Labs.
“Businesses need to understand that most consumers aren’t going to care about how the breach happened. It happened, and in many cases, that’s all the consumer will remember,” she said.
“Lying about the cause is only going to reflect poorly on the business, especially when the breach makes headlines for the second (or third) time because an enterprising security researcher discovers that your lies don’t add up – and they will discover it,” she added.
Don’t downplay your breach
After a breach, it’s all too natural to want to carefully craft your message to your users and customers to salvage your brand. It’s normal to involve your public relations and marketing teams, but their job is to protect the company, not the customers.
That’s where some companies find conflict. Where is their loyalty? To their customers or to their brand? One way guaranteed to anger your users or customers is to minimize the impact.
Look at the recent Capital One breach, which had customers steaming with anger after the credit card giant declared a data breach. Its website, titled “Facts,” initially said in bold that “no bank accounts or Social Security numbers were compromised,” other than 140,000 Social Security numbers and 80,000 bank account numbers.
The irony, in this case, is that the use of public relations to massage the company’s messaging ended up blowing up in its face.
“Consumers care about what comes next, about understanding how the breach impacts their day-to-day lives, and how you’re going to keep them safe going forward,” said Wilson. “That means being honest about what information was accessed, and what you know about whether that data was exfiltrated.”
“Avoid, at all costs, the urge to downplay the value of the information exposed; be honest, be candid, provide consumers with an accurate summary of the potential fallout from this data compromise, and, above all else, be open about what you don’t know,” she said. “The only thing worse than issuing a vague statement with misleading information is having to issue a series of corrected statements, all while defending your earlier choices to avoid or delay the harsh reality of the situation.”
“Obfuscation is a temporary solution. Just don’t,” she said.
John Wethington, a security researcher with experience in finding exposed data, said a company’s messaging can rebuild customer trust or plunge it into further turmoil.
“Public relations and marketing have two critical things in common. First, they deliver messages as the spokesperson for your organization. That means they are your first and often your only chance at being honest and transparent,” he said. “If they are seen as being anything but that, you’ll lose customers and you could be inviting regulatory scrutiny at a higher level,” he added.
“The truth always comes out. It’s up to you whether or not it comes from you or someone else,” he said.
Don’t make your users do the hard work
After an incident, companies have to communicate what happened but also what customers should do. Some companies do it better than others.
Marriott’s handling of the Starwood data breach caused ire. The hotel giant sent out emails to affected users from an email address not associated with the company. Unsurprisingly, many were confused and some assumed the worst — that it was a scam. Security researchers filled in the company’s flaw-ridden response plan at their own expense to try and protect users from scams.
And when DoorDash revealed its breach, the company told users to change their passwords rather than issuing a password reset for all users.
“This is an opportunity to not screw it up, because people will take notice of how you respond when the spotlight is on you,” said Wilson. “Treat your customers and your employees the way you’d want to be treated, which takes a heady — and often missing — blend of honesty, integrity, and humility.”
“Try to be the company who gets it right, who is willing to own their mistakes and stand by their situation. Ownership goes a long way in stabilizing a company’s legacy going forward,” she said.