Airline breaks golden rule of crisis communications

If your organisation had just lost sensitive information on 9.4 million people, how would you describe what had happened?

Well, Cathay Pacific’s CEO Rupert Hogg chose to define it as a ‘data security event’.

That sounds more like an invite to some cosy, industry-wide, data security conference than an appropriate way to announce what is reported to have been the biggest data loss in aviation history.

To put what has happened into perspective, when British Airways found itself in the media spotlight last month for losing data, there were around 380,000 affected customers.

If the Cathay Pacific data breach was an ‘event’, then what happened to BA must have been a complete non-event. Yet it described the incident at the time as a ‘sophisticated, malicious attack’. 

The Hong Kong airline, on the other hand, seems to have been trying to play down the crisis.

The breach was announced in very low-key fashion on its Twitter account. It simply said: “We have discovered unauthorised access to some of our passenger data. For Data Security Event support, please DM @cxinfosec for assistance.”

 

 

Despite the lack of a link in that post, there was much more information on its website.  And the creation of a dedicated ‘event’ website with a lengthy question and answer session was a good crisis communications move.

But again the language was weak. Take the apology from Mr Hogg on the website for example. He said: “We are very sorry for any concern this data security event may cause our passengers’.

That doesn’t sound particularly genuine or heartfelt. And it bears a horrible resemblance to the vague ‘sorry for any inconvenience’ apologies you get on late-running trains.

When the names, nationalities, passport numbers, date of birth, email and home addresses of customers were included in the hack, you can be certain that at the very least there is cause for ‘concern’. In fact, you would imagine they face a particularly worrying time as they wonder how their stolen data might be used.

It should be said that there are other parts of the statement which are good. There is some evidence of the action the airline had taken with talk of a ‘thorough investigation’ with the assistance of a leading cyber security firm and a strengthening of its IT measures.

And I like that it said it was in the process of contacting affected passengers and that the quotes came from the CEO – suggesting the issue is being led from the top.

We also learnt in the statement that the airline ‘acted immediately’ to address the threat.

But that immediate action did not extend to letting its customers know. The airline first became aware of suspicious activity on its network back in March – some six months ago - and confirmed there was unauthorised access to certain personal data in early May.

Unsurprisingly, information about this delay was not included in the statement, but was later confirmed by Paul Loo, the airline’s customer and commercial officer. He said the company had wanted to have an accurate grasp of the situation before making an announcement and did not want to ‘create unnecessary panic’.

Six months feels like an awfully long time to do that and there could be GDPR repercussions. But it also breaks one of the golden rules of crisis media management – communicate quickly.

 

 

Even if you don’t immediately know the full impact of an issue, it is important to make customers aware and show them you are working to resolve the problem. Customers deserve to know even if there is the slightest risk.

Acting slowly, on the other hand, will cause a loss of trust.  It can also leave organisations open to accusations of trying to cover up the breach.

And that is reflected in some of the media coverage, with many articles opting to focus on the delay:

 

Cathay Pacific waits months to reveal it was hacked The Times

Shares nosedive and questions mount over delay as Cathay Pacific admits huge data leak Hong Kong Free Press

Questions mount over 5-month delay for CATHAY Pacific to admit huge data leak The Straits Times

Cathay Pacific took 7 months to alert passengers to massive data leak. Why? South China Morning Post

 

Data breaches are an increasingly common cause of crisis media management incidents. It feels like barely a day goes by without one being reported.

And it is notable that the BBC has recently taken the decision to appoint its first dedicated cyber security reporter – a move which suggests we are only going to see more of this type of story.

 

 

So what do organisation needs to know about managing the media in the event of a data breach?

 

Prepare

The starting point is to have a specific crisis media management plan. You should have an overall crisis communication plan, but dealing with a crisis caused by a fire, industrial accident, product recall or power failure is very different to managing one caused by a cyber-attack. Although some of the principles will be the same, it is likely that in a cyber-incident it will be less easy to determine exactly what you are dealing with. Breaches are often reported by people outside the organisation, immediately putting organisation’s in a reactive position.   

 

Respond promptly

Once it is clear your organisation has become a victim of a cyber-attack, it is crucial you respond promptly to the incident to show you are aware of the issue. Even if there is little you can say at that point, it is important you confirm there is an issue and that your customers know you are working to understand and resolve the problem. This will help to position you as an authoritative source of information and help prevent rumours and conjecture.

 

Choose the right spokesperson

Think carefully about the spokesperson you want to put up in front of the media. Many organisations will default to their CEO in a time of crisis, but does your CEO know enough about IT security to get your messages across and withstand potentially hostile questions? Do you want to expose their lack of expert knowledge?

It needs to be someone senior, so perhaps the IT Director would be a better option. It is crucial your spokesperson comes across as both credible and knowledgeable. They need to have previous media experience and recently been on a media training course.

 

One voice

This does not mean you should only use one spokesperson – if media interest in the incident continues over a number of days you will need more. But you need to ensure that your spokespeople deliver the same message.

 

Apologise

If customer data has been compromised you need to start your media responses and interviews by apologising. Be sincere and human and show your customers they are utmost in your thoughts.

 

Blame

Don’t make excuses or blame others, such as third-party suppliers, in your media work. You are responsible for selecting these suppliers and working for the best interest of your customers. Blaming others also suggests controlling the incident and preventing it from happening again is out of your hands. Own the issue and take responsibility.

 

Informed

Keep customers informed both through direct communication and through the media and communicate regularly, so they continue to see you as the main source of information throughout the crisis. Ensure you are open and honest with them. Use the same channels as your customers. If your customers are asking questions on Twitter, for example, it’s important you also use that channel .

 

Media interest

Be aware a journalist could contact anyone in your organisation for information about the attack. Make sure your employees know where to direct any media interest and are properly trained.

 

Test and test again

Make sure that everyone involved in your business continuity plan has taken part of a recent crisis simulation exercise. This should include the communications and media team as well as all relevant media spokespeople. If you would like Media First to help with this then you can contact us here.

 

Find out more about preparing for a crisis by downloading our free crisis media management eBook. It includes a guide to helping you identify the right spokesperson, messaging templates and a risk register to help you identify your organisation’s vulnerabilities.

 

Media First are media and communications training specialists with over 30 years of experience. We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers. 

Click here to find out more about our highly practical crisis communication training.

 

Subscribe here to be among the first to receive our blogs.

 

 

Our Services

Media First are media and communications training specialists with nearly 40 years of experience. We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers.

Ways - Online learning
Ways - Videoconference
Ways - Blended
Ways - In-Person
Training by videoconference
Identifying positive media stories
How to film and edit professional video on a mobile
Media skills refresher
Blended media skills
TV studios
Crisis communications
Presentation skills and personal impact
Media training
Message development and testing
Presentation Skills Training
Crisis communication training
Crisis management testing
Leadership Communication Training
Writing skills training
Social media training
Online learning
Open Courses
Media myth-busting & interview ‘survival’ skills workshop

Recommended Reading

Crisis management, Social media — 17 December by Adam Fisher

The sustainable farming story that turned sour

Have you seen videos of people pouring milk down drains on your social media feeds? The likes of TikTok and X have been awash lately with conspiracy theories and misinformation about the breakfast…

Crisis management — 10 December by Adam Fisher

2024 – A year in crisis

What a year. 2024 has been packed with examples of organisations and individuals making damming headlines and social media storms. And when that happens, there are always crisis communication…