How to Respond if You Learn Your Organization is the Victim of a Cyberattack, Data Security Breach, or Other Information Security Crisis
Based on how the biggest hacks and breaches have been handled by affected organizations and the responses (on social media and in the media) to their crisis management efforts.
Security breaches come in many different types. Public reactions to them vary almost as drastically, and have changed dramatically over the past few years. The trends can be seen easily on social media, and this article seeks to understand what these reactions were and what might have been the underlying causes of those reactions.
Based on the list included below, social media’s reaction to a hack depends on a few factors.
1. Who/what organization was hacked (and their reputation)
2. Who the hackers were (if known)
3. What data was accessed or stolen by the hackers
4. How the announcement/aftermath were handled
Who gets the strongest criticism/hate from their constituents, and why?
Generally, people seem to be most upset if organizations that are based online/deal in technology or information security get hacked, or if organizations like Banks, Hospitals, or Gov’t institutions (ones that are seen as very secure and have sensitive personal information or money) are hacked.
This may be partially due to the fact that the first group are seen as experts in the field, and if they can be breached, it makes people feel unsafe. In the second group, it seems to be more about trust. This can be seen in the JP Morgan response, the Community Health Systems response, and the Australian Immigration department’s case. Institutions that people trust with their personal data are particularly susceptible to negative public responses, and are also high-priority targets because of the valuable information that they possess.
I also observed that people were also more upset/angry with organizations that already have bad reputations in the public sphere. This is well illustrated by Uber and JP Morgan’s situations — in which it was clear there was no sympathy from the public or the media for these companies. Users were more satisfied with JP Morgan’s response to their hacking, probably because people got their money back, while Uber seems to be having issues with customer data security and being responsive regarding it’s hacking issues, which have impacted both their drivers and customers.
Possession of sensitive information is also key. The pressure on a company quickly becomes more intense if someone’s health records or social security number are accessed than if their Neopets account password is stolen, for example, and the social media reactions to the breaches reflect this fact as well.
Another key factor is the announcement and customer service in the wake of a breach. Done poorly, it can cause the situation to spiral out of control. The standard, bare-bones response at the moment seems to be a press release that details what happened and what is being done to fix it, as well as advice for customers on how to proceed if they believe they are victims of the hack.
The best companies go much further and create comprehensive customer service systems to aid the victims, and make sure all their needs are met in a timely manner. Target, for example, found out that this needs to be done quickly and accurately, and that you cannot underestimate the severity of a breach in your initial announcement (they weren’t forthcoming about the scale of their hack and took a reputational hit on the chin as the crisis deepened), or consumers will be angrier with you than if you had just admitted to a bad security breach in the first place.
Possible Lessons for Cyber Crisis/Best Practices:
- Announce the breach as quickly as possible without underestimating its severity — be both timely and accurate. When discussing the impact, keep your estimates HIGH — in the long run, it is better to say later, “we have good news, the breach was only __” versus having to say “we have bad news, the breach impacted an additional X accounts.”
- Create a comprehensive customer service system — including a page online addressing the breach, an FAQ area, and a hotline for people to call if they have other questions (that is functional gets people’s issues solved quickly). The page should be announced on every social channel possible, multiple times, to make sure that it is ubiquitously announced/known about by all customers.
- Provide protection for your customers in the aftermath — give them a free identity protection/monitoring service for ~2 years after the hack occurs. This will help them feel safer, and also keep you informed about how the stolen data might be being used.
- Work tirelessly to understand what went wrong. Work with law enforcement and other experts to deeply understand what errors were made, own up to the errors, publicly, and SHOW what you’re doing to fix them. Make sure that you are not seen as the organization that didn’t do enough to help its constituents in a time of need.
- Seek to be preventative — make sure all employees are well-versed in safe internet use and not likely to click suspicious links or contribute to the possibility of a network breach. Often, stupid human errors are the sources of the largest cyber attacks. In addition to having top-class professionals handle your security, you have to make sure that your average workers aren’t letting hackers in the back door.
List of Data Breaches/Hacks and Quick Summaries of Social Media Responses:
World’s Biggest Data Breaches
Selected losses greater than 30,000 records
Dedicated to distilling the world's data, information and knowledge into beautiful, interesting and, above all, useful…www.informationisbeautiful.net
Biggest Hackings in the Past year and Public Responses:
April 26th, 2016: Minecraft
What the Response Has Been:
Players are upset, but it doesn’t look like a real threat to the company, which is massive. Users will have to change their account logins, and are advised to change any other accounts with the same passwords.
April 9th, 2016: Syrian Government Hacking
What the Response Has Been:
Some have celebrated the attacks, while others are more ambivalent because most of the data is older. The team is anti-ISIS and anti-Assad, so doesn’t have allies in either of those online camps. The activists claim to be on the side of the Syrian people, which is probably the most publicly popular alignment claim in this particular conflict.
April 8th, 2016: National Childbirth Trust:
https://thestack.com/security/2016/04/08/childbirth-charity-hack-leaks-15000-expectant-parents-data/
This attack has been roundly condemned, but also exposes the fragile security that many healthcare firms are currently guilty of possessing, and the risks for users as well.
April 7th, 2016: Panama Papers/Mossack Fonseca
What the Response Has Been:
While investigations are still ongoing, this is one of the biggest and most important data breaches. Journalists are still digging for new names and figures that will be named, and a few casualties have already been claimed by the leak. Many rich and powerful people are at risk, and it is likely that it will lead to lawsuits and the downfall of many more.
http://panamapapers.sueddeutsche.de/articles/56febff0a1bb8d3c3495adf4/
April 6th, 2016: Philippine Commission on Elections
What the Response Has Been:
Elections have already been tense, but this has only heightened the tension in the country. The authorities arrested a second man in connection with the hack on April 29th. It has been cited in the press there as further evidence that there is a growing need to prioritize cyber security on systems worldwide.
March 24th, 2016: Verizon
What the Response Has Been:
Bloggers and Journalists have both been aggressive in their criticism towards Verizon — which should probably have stronger security than this breach showed, but they did clean it up fast. However, Verizon and most telecom communications companies have such poor customer service records that this is a reputational drop in the bucket for them.
December 29th, 2015: US Voter Database (191 Million)
http://uk.reuters.com/article/us-usa-voters-breach-idUKKBN0UB1E020151229
What the Response Has Been:
There was limited outrage (probably due to the announcement being over NYE and the holidays) and suspense with the election coming up, and this vulnerability has raised concerns with voters in the US about fraud in the coming year.
December 19th, 2015: Sanrio (Hello Kitty)
What the Response Has Been:
A lot of publications gleefully picked up on the “Great Hello Kitty Hack of 2015” — but it seems like it hasn’t caused too much concern in the community itself — seems like people are getting used to having to change password details — and have done so at Sanrio’s request.
December 14th, 2015: Kromtech/Mackeeper Breach
Most people recognize Mackeeper as useless “scareware” but it is still disturbing given that it seems to prey on users, and has allowed for a backdoor to open up into users’ systems via a flawed security program. Many caught on to this element and have condemned the software even more vociferously — though it had a pretty shoddy reputation before this all happened.
December 2nd, 2015: Invest Bank (UAE)
http://www.dailydot.com/politics/invest-bank-hacker-buba/
What the Response Has Been:
In an email to the Daily Dot, Invest Bank Assistant Manager for General Operations Qasim Kazmi said that paying Hacker Buba’s ransom was out of the question: “No we have not paid nor do we intend to or negotiate with blackmailers.”
The hacked site where Buba had stored the files apparently regained some control, and now is visible only to users with login credentials. Bank customers were apparently furious, and much of the information was real — the accounts hacked had around 110 million inside.
November 28th, 2015: VTech Hack
What The Reaction Has Been:
VTech has been getting hit hard by bloggers and journalists for its mishandling of this issue.
https://www.troyhunt.com/when-children-are-breached-inside/
VTech issued an FAQ in march of 2016 saying htat nearly 6.3 million people were impacted by this hacking: https://www.vtech.com/en/press_release/2016/faq-about-cyber-attack-on-vtech-learning-lodge/
They say the forensic investigation is still underway.
November 11th, 2015: Securus Technologies
What The Response Has Been:
It is still unfolding, but both the ACLU and The Marshall Project have been vocal about what they feel is a violation of the rights of inmates and of attorney-client privilege. The case is unfolding, but it may constitute a relatively massive scandal, given the nature of the private data that was unleashed. Lawyers on all sides have spoken out about the issue.
October 22nd, 2015: TalkTalk Hacked
What the Response Has Been:
Customers criticised the firm on Twitter over the announcement. Katie Jonas, who has been a TalkTalk customer for three years, said she was “fuming” after being on hold to TalkTalk customer services for more than an hour. She said: “I’m very concerned that my bank details may have been taken but didn’t want to have to change all bank details. It’s a lot of hassle doing so but now it looks like I will have to after the disgusting customer service.
“I was angry enough being on hold that long but to then be cut off is terrible.”
She added her family each had mobile phone contracts with the company and usually got a “great service” but added the timing of the announcement was “not really acceptable”.
She said: “The late announcement is not really acceptable either but even worse is the communications. By the time people are informed who knows how much could have been stolen.”
One customer said his computer had come under attack on Thursday night.
In December 2014 the company said it was investigating whether its customer database had been leaked after more than 100 customers said they had received calls from Indian-based scammers quoting their names, addresses and account details.
Dozens of customers have since been tricked out of thousands of pounds by fraudsters who called them pretending to be TalkTalk staff. After receiving such a fraudulent call, Graeme Smith, from Chester-le-Street in Co Durham, lost £2,815 from his Santander account.
October 9th, 2015: Barron’s, WSJ Hacked
http://www.usatoday.com/story/money/2015/10/09/barrons-hacked-ceo-warns-wider-plot/73663568/
What The Response Has Been:
https://twitter.com/search?q=wsj%20hacked&src=typd
Some hypothesize that this might be a politically motivated attack against Rupert Murdoch and News Corp.
Users are concerned because the WSJ would have subscriber information that could result in identity theft or fraudulent solicitation, or be used in phishing scams in the future.
October 2nd, 2015: Scottrade
What The Reaction Has Been:
· After the initial publication of this story, Scottrade clarified that though Social Security numbers and emails were included in the database that was breached, it does not believe they were stolen.
· Many financial websites reported this hack early, warning those who invest in the markets that their personal data might be at risk. Scottrade appears not concerned about Social Security numbers, but physical addresses and identities may have been compromised.
· Scottrade’s spokesperson discussed the fact that they “secured the intrusion point and further strengthened our network defenses and are fully cooperating with the authorities as they investigate this criminal matter.”
· Some users on twitter have questioned why a hacker would only steal contact info if they had access to social security information. Many finance experts and those involved in trading are concerned about their personal information and money.
· https://twitter.com/search?q=scottrade%20hack&src=typd
October 1st, 2015: Experian and T-Mobile
http://www.reuters.com/article/2015/10/02/us-tmobile-dataprotection-idUSKCN0RV5PL20151002
What The Response Has Been:
· Experian on Thursday said it had launched an investigation into the new breach and consulted with law enforcement.
· The company offered two years of credit monitoring to all affected individuals. People, however, said that they did not want credit protection from a company that had been breached.
· Legere responded by promising to seek alternatives.
· “I hear you,” he said on Twitter in response to consumer complaints, “I am moving as fast as possible to get an alternate option in place by tomorrow.”
· Experian said the breach did not affect its vast consumer credit database.
September 30th, 2015: Trump Hotels Credit Card System Hacked
http://time.com/4056928/trump-hotels-hacked/
What The Reaction Has Been:
Trump Hotels is offering affected customers a free year of identity fraud protection, CNN reports.
Given that Trump is running for president, there has been a wealth of mirth shared on social media regarding the hack, and some jokes at his expense.
Many are concerned about their credit card information and fraud, but most are concerned with the politics around the issue:
https://twitter.com/search?q=trump%20hacked&src=typd
August 10th, 2015: Carphone Warehouse
What the Reaction has Been:
This hacking is relatively large, and was well covered in the British press.
According to surveys, more Brits have become concerned with Cybersecurty, particular 16–25 year olds, in the wake of the Ashley Madison and Carphone hacks.
On Twitter, people are still conversing about the hacks and this only served to increase the amount of conversation around cyber security, particularly among users in the UK.
July 20, 2015: Ashley Madison Hacking
http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/
What the reaction has been:
http://www.nytimes.com/2015/08/20/opinion/the-ashley-madison-hack-shows-were-too-dumb-to-cheat.html
The Ashley Madison hack was one of the top news stories of the summer, and the breakdown of the site’s tactics to bait users with ‘robot’ profiles are well documented:
“Globally speaking, the most surprising data that was recovered from the dump was the fact that out of the 31 million male users, only 10 million were actually engaged in initiating and continuing chats on the website and were paying the website! The data revealed that there were about 5 million female profiles but only 2409 female profiles engaged in chats which is a stark disparity in itself. “
There has been some public shaming of the victims, and chatter still surrounds the issue on Twitter and in the press. Many pieces discuss whether this is really our business at all, pointing to the psychological harm the doxxing of cheaters has caused to both their spouses and the cheaters themselves, and there are some suicides rumored to be linked to the release of the data. The hackers, “Impact Team” haven’t been caught, and this has been considered one of the worst hackings in history due to the depth of pain and issues it has caused.
July 6th, 2015: Hacking Team Hacked
What The Reaction Has Been:
· Christian Pozzi, one of the firm’s employees, tweeted to say that the documents contained “false lies” about the services the company offers.“A lot of what the attackers are claiming regarding our company is not true. Please stop spreading false lies about the services we offer,” Pozzi tweeted. “We are currently working closely with the police at the moment. I can’t comment about the recent breach.” Pozzi’s feed was later itself hacked, and later still the entire account was deleted.
· Privacy groups have welcomed a rare chance to potentially look inside the workings of a cyber-surveillance company such as Hacking Team. Privacy International said in a statement: “Yesterday’s leak of materials reportedly shows how Hacking Team assisted some of the world’s most repressive regimes — from Bahrain to Uzbekistan, Ethiopia to Sudan — to spy on their citizens.
· “We know from investigations by Citizen Lab that these tools are used to target human rights activists and pro-democracy supporters at home and abroad. Surveillance companies like Hacking Team have shown they are incapable of responsibly regulating themselves, putting profit over ethics, time after time. Since surveillance companies continue to ignore their role in repression, democratic states must step in to halt their damaging business practices.”
June 11, 2015: US Federal Government Breach
What The Response Has Been:
https://twitter.com/search?q=US%20government%20hacked&src=typd&vertical=default&f=tweets
· Social media reactions seem to be mixed — many just reporting the news with surprise, others without surprise or reaction at all
· The US accusing Russia and China of the breach, or of supporting the breach, brought out some hatred and nationalistic sentiment from conservatives
· The breach came to light bit by bit — which in many ways has intensified reactions and negative sentiments related to the breach.
May 26, 2015: IRS Hacked
http://www.wired.com/2015/05/hackers-hit-irs-access-100000-taxpayers-files/
What The Response Has Been:
https://twitter.com/search?q=IRS%20hacked&src=typd&vertical=default&f=tweets
· As seen in the tweets, most of the vitriol is directed at the IRS and government for not being competent, rather than at the hackers themselves.
· This case shows that often it is the victim of the hack that gets blamed, even over the hackers, and takes the biggest reputational hit from the case.
· People clearly expect a lot from Government organizations — especially when it comes to the orgs that are supposed to protect their data.
· The hacking triggered discussion about how well the IRS was funded — and if it needed more in order to make it a high-function organization that met the demands of modern-day data security.
May 21, 2015: Adult Friend Finder Hacked
http://www.channel4.com/news/adult-friendfinder-dating-hack-internet-dark-web
What The Response Has Been:
· Many people were mocked for the data that was released, particularly the fact that some used email accounts that had .gov domain names, and others used personal addresses that were easy to link to social media accounts.
· This site isn’t a place that was supposed to be secure, and you can tell by the vitriol towards the hacking victims, many of whom were using the site to be unfaithful to spouses, etc, that people are much less sympathetic to victims of this type of hacking and the negative exposure it created for the victims.
· It remains to be seen what the consequences for the site itself are — they put out an announcement for users with instructions, etc. but it seems that people are very angry about the situation overall.
May 20, 2015: CareFirst (Blue Cross Blue Shield)
What The Response Has Been:
· Some were upset that CareFirst waited for such a long time to reveal what had happened during their hack, and asked why their usernames weren’t immediately requested to be changed
· Others were mostly just disappointed in the company for allowing that to happen — Blue Cross is generally seen as quite reliable.
· The Company did create a site for the response, but it alienated users by having too long between the attack and reporting it to the public.
