As the business world implements new technologies at an overwhelmingly accelerating pace and companies fiercely play “who’s more digital”, cybersecurity risks increase by the day. The US government has estimated that more than 4000 ransomware attacks have occurred daily since 2016, while Accenture’s recent Cost of Cybercrime Study found that cybercrime is costing organisations an average of $11.7 million per annum.

The abundance of such alarming statistics has prompted the World Economic Forum’s Global Risk Report 2018 to put data breaches as the biggest risks for businesses alongside environmental disasters. Just think about it: the disruption caused by hacks could be compared to hurricanes and earthquakes.

In the UK alone, 43% of businesses experienced a cybersecurity breach or attack in the last 12 months, as the government’s Cyber Security Breaches Survey 2018 found. More than two thirds (72%) of the stricken companies were large corporations – they identified an average of 12 attacks a year, most commonly via fraudulent emails. And worst of all, while 74% of all firms say that cybersecurity is a high priority for their senior management, only 27% have a formal cybersecurity policy in place.

Reputational Calamities

One of the worst consequences of a data breach is the PR havoc which is likely to follow. Affected companies often do not have a well-prepared crisis management strategy and react inadequately, which could inflict irreparable harm to their reputation. The Forbes Insights report Fallout: The Reputational Impact of IT Risk pointed out that 46% of companies were left with damaged reputations and brand value after a breach.

It is no wonder that Ipsos MORI’s Reputation Council, a panel of senior corporate communication professionals, identified cyberattacks as the greatest threat to their company’s image. For nearly half of the panellists, data breaches are as harmful to a firm’s good name as poor product quality and staff malpractice, and the business journalists taking part in the council’s study expressed a similar sentiment.

Indeed, the majority of consumers would not use the services of a company which has been hacked. In a survey commissioned by fraud prevention company Semafone, 86.55% of respondents said that they were “not at all likely” or “not very likely” to enter in a relationship with a company after a data breach involving credit or debit card details. “These figures serve to underline what we should already know – that the reputational damage suffered by companies who fail to protect personal data can translate directly into a loss of business,” said Semafone’s CEO Tim Critchley.

Having a crisis management plan has become especially important for companies operating in the world’s largest single market – the EU, which recently implemented its notorious General Data Protection Regulation. Much ink has been spilt over GDPR, but in the case of crisis PR, one thing is of particular significance: the regulation’s article 33 obliges companies to report a data breach to regulators within 72 hours of becoming aware of it. This means that you should already have a PR plan at hand and a clear idea of how to make use of these 72 hours you have left until journalists jump on you.

Hacks in the Spotlight

We surveyed the media landscape since the beginning of 2017 to determine which data breaches gained the largest media shares.

In September 2017, Equifax, one of the world’s largest credit agencies, disclosed that it fell victim to a massive cybersecurity attack. The hack, among the largest in history, compromised the data of 143 million customers, exposing their names, birthdays, addresses and Social Security and driver’s license numbers.

The company’s CEO Rick Smith said in a video statement: “Equifax will not be defined by this incident, but rather by how we respond”. It was namely this response which caused a PR cataclysm: many commentators noted the ill-suited way the company handled the aftermath of the hack from a communication standpoint. Even though it became aware of the breach in July, it disclosed it in September – such a delayed reaction did much to undermine the trust of their clients, which rightfully felt that the firm concealed important information about their data for several months. By the way, many of the firm’s high-level executives were also unaware of the breach.

There was also a strong dissatisfaction with Equifax’ apology: many thought that their press release was too heavy on corporate jargon, impersonal and full of unclear phrases which might have served well for avoiding some legal proceedings but did not help with regaining customer trust at all. Instead, many journalists thought that it sounded like they are avoiding responsibility by using passive voice phrasing such as “were accessed” and “has been impacted”. And the enclosed statement by the CEO, which began with the words “protecting your data should have been our highest priority”, did not help.

Equifax’ response on social media also fell short. The day after the disclosure, the firm’s customer service account tweeted “Happy Friday! You’ve got Stevie ready and willing to help with your customer service needs today!” The ostensible cheerfulness was not well-received by its followers, many of whom were still reeling from the news that they have become victims of identity theft. The post received many negative replies: for instance, one user tweeted: “Stevie, can you help repair my life your company just ruined?”

In addition, the company did not notify affected customers but launched a website where they could find out whether their data was exposed by entering part of their Social Security number – ironic, given the fact that these numbers were among the compromised data. “So why does your victim list require us to put in our SSN?” is an example of the responses on social media. “Why would we trust you with that ever again?” The press was equally critical. Brian Krebs, an influential reporter specialising in cybersecurity, wrote: “I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived.”

Another move which angered commentators was the new identity protection service Equifax offered for free. Its terms of service required customers to renounce their right to sue Equifax and file or join class action proceedings. Business publications also highlighted that the service is free for only a year, and in this way, Equifax has exploited its data breach as lead generation.

Better Sorry than Late

Uber experienced similar PR mishaps when it emerged that it lost 57 million drivers’ and customers’ details to cybercriminals and even paid the hackers $100,000 to keep them quiet. This was the strongest blow to the company’s reputation, outweighing the investigations into its anti-competitive practices, the issues with its London operating licence and the allegations of sexism.

The breach occurred in October 2016 and compromised email addresses, phone numbers, names and driver’s licenses. The then-CEO Travis Kalanick was briefed about the breach the following month, and when the news about the hack broke one year later, Kalanick’s successor, Dara Khosrowshahi, apologised and promised that the firm will not repeat its mistakes.

But she could not make up for the severe reputational damages inflicted by Uber’s attempt to keep the hack a secret. As security journalist Graham Cluley wrote: “You can ask forgiveness for being hacked, but many people will find it harder to forgive and forget if you deliberately concealed the truth from them.”

This came at a time when Yahoo was facing criticism for delaying the disclosure of its own data breaches. In December 2016, Yahoo announced that more than one billion user accounts had been affected as part of a cyber attack dating back to August 2013. Yahoo’s shares fell more than 6% and cut its price by $350 million when Verizon bought it. These financial consequences were to a large extent caused by Yahoo’s damaged brand.

It seems that most of the companies whose post-hack media coverage we surveyed made the same fatal mistake by announcing their cybersecurity problems too late. There is hardly anything which could shake consumer confidence more than the revelation that their personal details were up for grabs and they were not told about it. This could easily make anyone think that companies concealed their failings because they did not know how to fix them.

Demonstrating such a lack of basic ethical standards guarantees bad publicity, and it gets worse when you couple that with lack of empathy to consumers. When wording their responses, most corporates are so worried about exposing themselves to legal threats that they forget to address their clients in a simple affectionate manner and make a sincere apology which is directed not only to lawyers. A more personal and proactive approach would also be valuable on social media, which could be utilised to mitigate further reputational losses.

Many consumers are well aware that nowadays data breaches are something of a norm, and the news that somebody got hacked usually do not come as a great shock. But what can make a relatively common failure hard to forgive is inadequate communication. Companies tend to recover from data breaches and boost their IT security systems – and this looks like an easy task when they try to find their way out of a PR mess. Each organisation should have a pre-cooked crisis communication plan, in which timing, transparency and empathy play a key role.