If your organisation had just lost sensitive information on 9.4 million people, how would you describe what had happened?
Well, Cathay Pacific’s CEO Rupert Hogg chose to define it as a ‘data security event’.
That sounds more like an invite to some cosy, industry-wide, data security conference than an appropriate way to announce what is reported to have been the biggest data loss in aviation history.
To put what has happened into perspective, when British Airways found itself in the media spotlight last month for losing data, there were around 380,000 affected customers.
If the Cathay Pacific data breach was an ‘event’, then what happened to BA must have been a complete non-event. Yet it described the incident at the time as a ‘sophisticated, malicious attack’.
The Hong Kong airline, on the other hand, seems to have been trying to play down the crisis.
The breach was announced in very low-key fashion on its Twitter account. It simply said: “We have discovered unauthorised access to some of our passenger data. For Data Security Event support, please DM @cxinfosec for assistance.”
We have discovered unauthorised access to some of our passenger data. For Data Security Event support, please DM @cxinfosec for assistance.
— Cathay Pacific (@cathaypacific) October 24, 2018
9.4 million?! And THAT tweet is how they tell people. 🙄
— Peter (@peterc83) October 24, 2018
Despite the lack of a link in that post, there was much more information on its website. And the creation of a dedicated ‘event’ website with a lengthy question and answer session was a good crisis communications move.
But again the language was weak. Take the apology from Mr Hogg on the website for example. He said: “We are very sorry for any concern this data security event may cause our passengers’.
That doesn’t sound particularly genuine or heartfelt. And it bears a horrible resemblance to the vague ‘sorry for any inconvenience’ apologies you get on late-running trains.
When the names, nationalities, passport numbers, date of birth, email and home addresses of customers were included in the hack, you can be certain that at the very least there is cause for ‘concern’. In fact, you would imagine they face a particularly worrying time as they wonder how their stolen data might be used.
It should be said that there are other parts of the statement which are good. There is some evidence of the action the airline had taken with talk of a ‘thorough investigation’ with the assistance of a leading cyber security firm and a strengthening of its IT measures.
And I like that it said it was in the process of contacting affected passengers and that the quotes came from the CEO – suggesting the issue is being led from the top.
We also learnt in the statement that the airline ‘acted immediately’ to address the threat.
But that immediate action did not extend to letting its customers know. The airline first became aware of suspicious activity on its network back in March – some six months ago - and confirmed there was unauthorised access to certain personal data in early May.
Unsurprisingly, information about this delay was not included in the statement, but was later confirmed by Paul Loo, the airline’s customer and commercial officer. He said the company had wanted to have an accurate grasp of the situation before making an announcement and did not want to ‘create unnecessary panic’.
Six months feels like an awfully long time to do that and there could be GDPR repercussions. But it also breaks one of the golden rules of crisis media management – communicate quickly.
Greatly appreciate @cathaypacific for letting us know SEVEN months after the security breach when all of our personal info could have been compromised...it shows complete disregard and disrespect of customers' safety and security...outrageous...unacceptable...
— Dominic W (@dommywalker) October 25, 2018
Only after 7 months do you consider it necessary to email me about this????? Sorry but you need a big fine. Not for the actual data breach but for keeping affected people in the dark for so long
— Cmdr ButtFace (@GaryPacker3) October 26, 2018
You leak usernames and passwords for 9.4 Million users and it took 7 months for you to inform anyone? This should be criminal.
— Kevin Campbell (@kevcampb) October 25, 2018
Why didn’t you notify customers sooner?
— ❔Quietly Curious Ⓥ (@quietlycurious) October 26, 2018
Even if you don’t immediately know the full impact of an issue, it is important to make customers aware and show them you are working to resolve the problem. Customers deserve to know even if there is the slightest risk.
Acting slowly, on the other hand, will cause a loss of trust. It can also leave organisations open to accusations of trying to cover up the breach.
And that is reflected in some of the media coverage, with many articles opting to focus on the delay:
Cathay Pacific waits months to reveal it was hacked The Times
Shares nosedive and questions mount over delay as Cathay Pacific admits huge data leak Hong Kong Free Press
Questions mount over 5-month delay for CATHAY Pacific to admit huge data leak The Straits Times
Cathay Pacific took 7 months to alert passengers to massive data leak. Why? South China Morning Post
Data breaches are an increasingly common cause of crisis media management incidents. It feels like barely a day goes by without one being reported.
And it is notable that the BBC has recently taken the decision to appoint its first dedicated cyber security reporter – a move which suggests we are only going to see more of this type of story.
Installed in my new newsroom! Day 1 as the BBC’s first dedicated Cyber Security Reporter. Looking for things to investigate worldwide around cybercrime, hacking, data handling and internet safety. Get in touch! (Encrypted channels coming ASAP). pic.twitter.com/RzomCPZGEs
— Joe Tidy (@joetidy) October 22, 2018
So what do organisation needs to know about managing the media in the event of a data breach?
Prepare
The starting point is to have a specific crisis media management plan. You should have an overall crisis communication plan, but dealing with a crisis caused by a fire, industrial accident, product recall or power failure is very different to managing one caused by a cyber-attack. Although some of the principles will be the same, it is likely that in a cyber-incident it will be less easy to determine exactly what you are dealing with. Breaches are often reported by people outside the organisation, immediately putting organisation’s in a reactive position.
Respond promptly
Once it is clear your organisation has become a victim of a cyber-attack, it is crucial you respond promptly to the incident to show you are aware of the issue. Even if there is little you can say at that point, it is important you confirm there is an issue and that your customers know you are working to understand and resolve the problem. This will help to position you as an authoritative source of information and help prevent rumours and conjecture.
Choose the right spokesperson
Think carefully about the spokesperson you want to put up in front of the media. Many organisations will default to their CEO in a time of crisis, but does your CEO know enough about IT security to get your messages across and withstand potentially hostile questions? Do you want to expose their lack of expert knowledge?
It needs to be someone senior, so perhaps the IT Director would be a better option. It is crucial your spokesperson comes across as both credible and knowledgeable. They need to have previous media experience and recently been on a media training course.
One voice
This does not mean you should only use one spokesperson – if media interest in the incident continues over a number of days you will need more. But you need to ensure that your spokespeople deliver the same message.
Apologise
If customer data has been compromised you need to start your media responses and interviews by apologising. Be sincere and human and show your customers they are utmost in your thoughts.
Blame
Don’t make excuses or blame others, such as third-party suppliers, in your media work. You are responsible for selecting these suppliers and working for the best interest of your customers. Blaming others also suggests controlling the incident and preventing it from happening again is out of your hands. Own the issue and take responsibility.
Informed
Keep customers informed both through direct communication and through the media and communicate regularly, so they continue to see you as the main source of information throughout the crisis. Ensure you are open and honest with them. Use the same channels as your customers. If your customers are asking questions on Twitter, for example, it’s important you also use that channel .
Media interest
Be aware a journalist could contact anyone in your organisation for information about the attack. Make sure your employees know where to direct any media interest and are properly trained.
Test and test again
Make sure that everyone involved in your business continuity plan has taken part of a recent crisis simulation exercise. This should include the communications and media team as well as all relevant media spokespeople. If you would like Media First to help with this then you can contact us here.
Find out more about preparing for a crisis by downloading our free crisis media management eBook. It includes a guide to helping you identify the right spokesperson, messaging templates and a risk register to help you identify your organisation’s vulnerabilities.
Media First are media and communications training specialists with over 30 years of experience. We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers.
Click here to find out more about our highly practical crisis communication training.
Subscribe here to be among the first to receive our blogs.