elevenM Principal Arjun Ramachandran takes a critical look at the communications response to a major data breach.
Crisis communications for a data breach are never easy. Things move fast, much is unclear, and it’s not always obvious how to apply well-established crisis communications principles to cyber security incidents. Commenting from the outside is always easier than having to make the calls from the middle of the maelstrom.
Nevertheless, as comms people do, a few friends and I recently exchanged opinions about Optus’ public comms response to its recent cyber-attack, just as that response was unfolding. Below is a summary of some of my take-outs.
Overall, I reckon Optus put out a largely constructive response to what looks, at this stage, to be a serious data breach. The highlights? Responsive, empathetic, transparent, and largely free of speculation. But let’s go into more detail below.
First, what Optus didn’t do so well
Victim-playing … kinda. The first quote from Optus CEO Kelly Bayer Rosmarin in the Optus statement (which was bound to get a run in all media coverage) read: “We are devastated to discover that we have been subject to a cyber-attack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it”.
“Devastated to discover … we have been subject to” – with this language, Optus strays towards painting itself as the victim. In some sense it is, but for a public response the only victims Optus should be focused on are the customers it was meant to protect. Which brings us to …
Stepping back, not forward? Optus’ use of a string of passive phrases (“Devastated to discover”, “we have been subject to”, “that has resulted in”) comes across as Optus trying to create distance between it and responsibility for the breach. This won’t sit well, especially for those impacted.
Optus is ultimately responsible for protecting its customers’ data, and for any breach. Imagine a bank saying: “Today we were devastated to discover that we were subjected to a robbery that resulted in customers’ jewellery and valuables being taken by people who shouldn’t have had it.” Most would think: “Whatever dude, you were meant to protect it”. (Update: Today show’s Karl Stefanovic response this morning sums up this sentiment). The only vibe to convey is one of accountability.
The use of “devastated” also felt overly emotive. In subsequent media appearances Rosmarin replaced “devastated” with “deeply disappointed” and “deeply sorry”, which more precisely strikes the tone of regret and contrition needed.
What Optus did well
In the final washup, the above issues weren’t overly influential because Optus actually did a lot right.
Responsive. According to SMH, Optus disclosed this incident publicly after finding out about it late the previous day. That’s relatively pretty quick, despite some commentary. Companies can sit on these things for days, weeks and even months as they evaluate what’s happened.
They showed contrition. Optus made clear it was “deeply sorry”, “very sorry” and well, “devastated”, by what had happened. Expressing empathy, understanding and regret for the potential harm (not “inconvenience”!) to individuals of a data breach is merely the other side of the accountability coin.
They didn’t speculate. In pursuit of transparency (a well-known crisis communications principle), companies dealing with a data breach often fall into the trap of speculating or guessing about the details. This is dangerous and potentially embarrassing, especially if those details later need to be corrected once investigations progress. While media reports variously described “millions” or 2.8 million customers being affected, Optus repeatedly held the line against confirming any number (going only with “a significant number”), on the basis it is still investigating. (Note, the flipside risk of this approach are the media outlets reporting a breach affecting “up to 10 million customers”, on the basis that this is how many customers Optus has).
Transparency, the cyber way. Optus also clearly understands that transparency around cyber breaches is not just about conveying breach details. Their statement describes in detail the actions it was taking once the incident was known, including containment actions, investigations having commenced, and the rationale around communications decisions. All of these details shed light on how the situation is being managed.
A banner link at the top of their website to a dedicated page containing their latest statement on the incident and FAQs is also best-practice for cyber incidents. It gives customers a single place to go for the latest information.
They used lots of active language. Notwithstanding earlier criticisms about the passive sections in the CEO quote, large parts of the Optus statement were actually in active voice (see image below). There’s a well-worn cliché in security – “it’s not a matter of if, but when you suffer an attack”. When the attack comes, you need to be swinging into action fast to contain, understand and otherwise respond to what’s happened – which helps demonstrate you are taking accountability for what’s happened and what comes next. The active language conveys Optus doing that.
They brought in the big guns. “Optus is working with the Australian Cyber Security Centre to mitigate any risks to customers. Optus has also notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators.”
As a major telco, no doubt Optus has well-resourced cyber security and privacy teams. It’s nevertheless helpful to emphasise that you’ve engaged the authorities for help and are working with regulators openly.
And the small mercies … No trite mentions of how much it “takes security very seriously”. Yes Optus!