A series of vague and apparently contradictory statements have marked Cathay Pacific’s public response to its recent data breach – the world’s largest airline data privacy incident.
While the extent of the damage to the company and its reputation remains unclear, the breach has been described by Cathay’s Chairman as ‘one of the most serious’ the airline has faced, and that its response would be ‘different’ tomorrow.
What can be learned from the airline’s fumbled response?
First, the backstory: late one evening Cathay acknowledges a ‘data security event’ affecting 9.4 million customers that it claims to have acted to contain ‘immediately’. A torrent of negative coverage and plenty of speculation about the state of the firm’s IT security quickly ensues. Journalists and customers complain that Cathay is not responding to phone calls or emails.
The following morning Cathay admits that it had been aware of suspicious behaviour on its network for a three month period starting March, prompting an avalanche of questions from worried customers and bemused regulators and politicians about why it had taken so long to inform its customers. CEO Rupert Hogg takes to the media and video to defend his firm.
Three weeks later, Cathay submits a statement (pdf) to Hong Kong lawmakers confirming the attack had intensified over a three month period and that it had known in August that passenger data had been accessed and/or stolen. Cue a third wave of hostile coverage, this time questioning the company’s honesty and transparency. Lawmakers accuse the company of orchestrating a cover-up.
(Business Traveller has a useful timeline of the incident).
Making inaccurate or inconsistent statements during a data privacy incident is easily done when facts are thin on the ground and the media is breathing down one’s neck.
Top data breach communications pitfalls
Based on my experience, here are the top five communications mistakes organisations make when responding to a data breach – the first and most damaging of which is zero communication:
- Concealing a breach. Until recently, most data breaches were not made public. GDPR and other data privacy laws now mean organisations must notify those impacted and the relevant authorities about a breach. Yet some will try to bury it from public view. As Uber and Yahoo! can testify, a cover-up is seen as worse than the breach itself. Substantial fines may appear a good deterrent to concealment, but research shows the longer-term reputational damage can be more significant.
- Confirming a breach too slowly. Cathay Pacific took three months to delay formal notification in order to contain the attacks and to determine what data had been lost and who has been affected. But organisations in many jurisdictions are now obliged to notify regulators quickly, and customers now expect to be informed quickly, and view organisations that are seen to move too slowly as unprofessional, clueless, or with something to hide.
- Providing inaccurate facts or data. Cathay Pacific may have waited until it was sure of the facts and numbers, yet many organisations now quickly go public about a breach to meet their regulatory obligations, or under pressure from a third party, and then have to revise their statements as the facts become clear (eg. Dixons Carphone revising upwards the number of records involved in its 2017 data breach from 1.2 million to 10 million). This creates additional negative news cycles, and creates a perception of amateurism at best and willful obfuscation at worst.
- Downplaying a breach. It is tempting to claim that the sensitivity and scope of the data and systems involved in a breach are limited, or that the impact on the company and those affected is minimal. But such statements can easily come undone as the full extent of the intrusion comes to light, leaving you looking irresponsible or worse.
- Providing inadequate media support. Cathay chose to push out its bad news late in the evening and send its teams home. But little irritates journalists more than an unmanned or unresponsive management or communications team, and senior executives unable or unwilling to provide a human face to something that has already been confirmed publicly by the company.
Every organisation is advised to avoid these pitfalls wherever possible.
Cathay’s CEO may have promised the airline would respond differently to future breaches, but he did not elaborate how.
Notifying regulators and customers more quickly is an obvious starting point. Careful thought must also be given to the openness, transparency, tone, consistency and ownership of one’s statements, amongst other factors.
My next post will set out data breach communications best practices.