Pizza The Breach: Failure to Deliver Costs Business Trust
This week Pizza Hut and Domino’s Pizza of Australia announced separate data breaches. While the breaches are of significant concern, the impact to consumer trust is most disturbing.
Over the weekend of October 13, 2017, Pizza Hut notified over 60,000 customers, via email, that their credit card information and personal information was stolen in a “temporary security intrusion” that occurred two weeks prior. Affected customers were informed that they were part of an “impacted group” that comprised a “small percentage of customers”.
In exchange for their loss, Pizza Hut has “offered” free credit monitoring for a year. I would like to point out that this is not an offer, but a mandatory legal obligation in many states. An offer would have included something of value — free pizza for a month, free breadsticks for a year or assistance in reclaiming any stolen funds. Customers took to social media to express their anger over the company’s handling of the incident.
Pizza Hut failed to maintain customer trust. Acting quickly to a data breach is an important quality to doing business on the web. Lessons to learn from the Pizza Hut Data Breach:
· Act quickly and swiftly to a data breach. This is critical to ensuring the customer is empowered to take control of personal information loss as well as financial information loss. Organizations must prepare and implement an incident response plan, practice the plan and ensure customers can be notified within 72 hours of a breach.
· Communication is an important tool. The message to customers needs to be clear and concise.
· Accept responsibility without making those impacted look like a minority.
· Do not appear to offer anything to a customer unless there is real value.
In a separate announcement, Domino’s Pizza of Australia reported on October 17, 2017, that personal information and order history was stolen from a former supplier and that breach led to customers receiving creepy spam messages. Domino’s failed to deliver the bad news to customers prior to the spam storm. Domino’s website reads, “Domino’s acted quickly to contain the information when it became aware of the issue “ — this message is creepier than the spam message. Given that Domino’s knew the information was stolen, there was little the company could do to contain it unless they knew who stole it, whether it had been shared and whether they could keep the information from spreading to the dark underbelly of the internet. Domino’s has yet to name the supplier, the period for which the data was stolen and the number of customers affected. Customers took to Facebook to express rage over the company’s handling of the incident:
“It was a bit eery (sic) getting all these spam emails that somehow knew my name and suburb and initially were making it past the spam filter,” Mitchell Dale posted on Domino’s Facebook page.
“The decision to try to keep me in the dark and not announce what had happened is why I will not be ordering Dominos again.”
“I won’t be ordering from you again, not because of the breach but because of how you chose to handle it,” Lara Douglas posted.
Domino’s failed customer trust in two critical areas — failure to act quickly and failure to off-board a supplier.
Lessons to learn from the Domino’s Pizza Australian Data Breach:
· Act quickly and swiftly to a data breach. This is critical to ensuring the customer is empowered to take control of personal information loss. Customers expect to be able to respond to a security incident and protect their accounts and identities. Organizations must develop, practice and implement an incident response plan to act quickly and effectively. Notifications to customers should be sent within 72 hours of a data breach.
· Organizations must have an off-board plan for any supplier that holds data. When severing a relationship with a supplier, organizations must take the proper precautions to remove customer data from the former supplier’s systems. This point is still often overlooked in a data sharing agreement.
· Act with honesty and integrity. Organizations must take responsibility for their actions or inactions. Organizations must avoid any indication that they have contained a problem when the average customer understands that data loss means loss — any hint of containment implies you have solved a Whodunnit puzzle.
Trust is the New Business Currency
We are close to the end of 2017 and customers have grown weary of cyber security breaches and have greater expectations of the role that businesses must hold as protectors of customer data. Customers will no longer accept long delays in being notified of a breach. Customers understand the pain and agony of having funds stolen from their accounts. Customers will no longer accept the shock of finding that a perpetrator has intimate knowledge of their identity or whereabouts.
Organizations must have an incident response plan to know how to act when a data breach occurs. An incident response plan must establish a timeline for customer response. Timeliness is critical. Notify your customers within 72 hours from when your organization learns of the breach. Be prepared to communicate quickly and concisely.
Organizations must establish greater controls to protect their customer data. CEOs and CIOs are expected to take control of their customer data and give customer data the same level of control that officers establish to transfer funds to their corporate accounts. Data is king. Trust is the new business currency. Failure to establish customer trust will destroy revenue as customers flee in droves.
About The Author
Brian Nigl is a partner at Convergency LLC. Brian has over 24 years of experience in regulated environments, delivering secure solutions on a global scale. Brian is a singer, songwriter, music lover and devoted father.
Convergency is a cybersecurity technology integrator that focuses on improving the state of cybersecurity within regulated environments. Convergency provides professional services to ensure risk resiliency. Convergency’s first product, Harmonia™, offers secure data migration ranging from 100 terabytes to 100 petabytes.