Data breaches can almost feel like an everyday occurrence at the moment, but the one which affected Capital One this week was massive.
The personal details of about 106 million people across the US and Canada were stolen in a hack.
That data included names addresses, phone numbers, bank account details and social security numbers.
The breach, which has led to an alleged hacker being arrested, is believed to be one of the largest in banking history and plunged the financial services firm into crisis media management mode.
Capital One data breach impacts millions City News Toronto
Capital One information hacked in massive data breach Time
Capital One bank face security concerns after massive data breach caused by ‘amateur’ lone hacker Daily Mail
Capital One data breach affects 106m people Financial Times
Its response, however, has been mixed.
Let’s start with the good.
One of the best parts of its statement, which you can read by clicking here, is the quote from CEO and chairman Richard D Fairbank.
It came high up in the response and displays empathy, contrition and visible leadership. It sounds sincere and shows an understanding of the severity of what has happened and the impact it will have on customers.
He said: “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened.
“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
On our crisis media management courses, we discuss the importance of organisations using their crisis responses to show what action they are taking to tackle the issues and make things better for their customers.
And there were some examples of that here. The company promised to notify all those who have been affected and will provide them with free credit monitoring and identity protection.
There is also a detailed question and answer section in the statement which may tackle some of the questions from affected customers.
But it is not all good.
One of the parts which stood out for me was just how incredibly wordy the statement is. And it appears to have been written by the legal department rather than anyone in comms.
Take the opening line for example. It says: “Capital One Financial Corporation announced today that on July 1, 2019, it determined there was unauthorized (SIC) access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital Once credit card customers.”
It went on to talk about fixing “the configuration vulnerability”. Hardly plain English.
And worse was to follow, as some of the statement is also bizarrely contradictory and can easily be seen as an ugly attempt to spin or play down the significance of the incident.
It boldly claims that ‘no bank account number or Social Security numbers were compromised’, before adding a pretty hefty clause which says 140,000 Social Security numbers and 80,000 banks account numbers were in fact compromised. Additionally, one million Canadian Social Insurance Numbers were also compromised in the incident.
Was it hoping that people would only read the ‘no bank account number or Social Security numbers were compromised’ part of that sentence?
That sentence should really read ‘bank account numbers and social security numbers were compromised’ to create the transparency and honesty brands should strive for when managing a crisis.
I’m lost at this spin in wording “no bank accounts compromised” aside from 80 THOUSAND bank account numbers that were compromised. Hire a better PR team @capitalone, especially if you’re going to try lie! 🙄 #databreach #holdaccountable pic.twitter.com/l6RrDPjFE2
— James Allnutt 🔸 (@JamesAllnutt94) July 31, 2019
no accounts were compromised except for the 220,000 that were.
— jyochiro sanzuki 💜💛🌹 (@Jyolteon) July 31, 2019
what the hell kind of framing is this, @CapitalOne? pic.twitter.com/ef8IhdeynH
I’m crying laughing at this press release from Capital One 😭😭😭 pic.twitter.com/m50XAnLI1k
— Spencer Dukoff (@SpencerDukoff) July 30, 2019
Really @CapitalOne ? This is some shady communication. #capitalonebreach pic.twitter.com/jYOBgGMCyA
— ca (@flapjack_father) July 30, 2019
Capital One: “No information was compromised, other than all the information that was compromised” pic.twitter.com/37s2fX0yPR
— Phillip Caudell (@phillipcaudell) July 30, 2019
After this breach it may be time for Capital One to replace its ‘what’s in your wallet slogan’ with ‘who’s been in your wallet’.
Download our FREE eBook to find out more about planning for a crisis. It includes a checklist to helping you identify the right spokesperson, messaging templates and a risk register to help you identify your organisation’s vulnerabilities.
Media First are media and communications training specialists with over 30 years of experience. We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers.
Click here to find out more about our journalist-led crisis communication training courses.