Breakdown of the Optus breach response

elevenM Principal Arjun Ramachandran takes a critical look at the communications response to a major data breach.

Crisis communications for a data breach are never easy. Things move fast, much is unclear, and it’s not always obvious how to apply well-established crisis communications principles to cyber security incidents. Commenting from the outside is always easier than having to make the calls from the middle of the maelstrom. 

Nevertheless, as comms people do, a few friends and I recently exchanged opinions about Optus’ public comms response to its recent cyber-attack, just as that response was unfolding. Below is a summary of some of my take-outs.

Overall, I reckon Optus put out a largely constructive response to what looks, at this stage, to be a serious data breach. The highlights? Responsive, empathetic, transparent, and largely free of speculation.  But let’s go into more detail below. 

First, what Optus didn’t do so well 

Victim-playing … kinda. The first quote from Optus CEO Kelly Bayer Rosmarin in the Optus statement (which was bound to get a run in all media coverage) read: “We are devastated to discover that we have been subject to a cyber-attack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it”

“Devastated to discover … we have been subject to” – with this language, Optus strays towards painting itself as the victim. In some sense it is, but for a public response the only victims Optus should be focused on are the customers it was meant to protect. Which brings us to …  

Stepping back, not forward? Optus’ use of a string of passive phrases (“Devastated to discover”, “we have been subject to”, “that has resulted in”) comes across as Optus trying to create distance between it and responsibility for the breach. This won’t sit well, especially for those impacted.

Optus is ultimately responsible for protecting its customers’ data, and for any breach. Imagine a bank saying: “Today we were devastated to discover that we were subjected to a robbery that resulted in customers’ jewellery and valuables being taken by people who shouldn’t have had it.” Most would think: “Whatever dude, you were meant to protect it”. (Update: Today show’s Karl Stefanovic response this morning sums up this sentiment). The only vibe to convey is one of accountability. 

The use of “devastated” also felt overly emotive. In subsequent media appearances Rosmarin replaced “devastated” with “deeply disappointed” and “deeply sorry”, which more precisely strikes the tone of regret and contrition needed. 

What Optus did well 

In the final washup, the above issues weren’t overly influential because Optus actually did a lot right. 

Responsive. According to SMH, Optus disclosed this incident publicly after finding out about it late the previous day. That’s relatively pretty quick, despite some commentary. Companies can sit on these things for days, weeks and even months as they evaluate what’s happened. 

They showed contrition. Optus made clear it was “deeply sorry”, “very sorry” and well, “devastated”, by what had happened. Expressing empathy, understanding and regret for the potential harm (not “inconvenience”!) to individuals of a data breach is merely the other side of the accountability coin. 

They didn’t speculate. In pursuit of transparency (a well-known crisis communications principle), companies dealing with a data breach often fall into the trap of speculating or guessing about the details. This is dangerous and potentially embarrassing, especially if those details later need to be corrected once investigations progress. While media reports variously described “millions” or 2.8 million customers being affected, Optus repeatedly held the line against confirming any number (going only with “a significant number”), on the basis it is still investigating.  (Note, the flipside risk of this approach are the media outlets reporting a breach affecting “up to 10 million customers”, on the basis that this is how many customers Optus has).

Transparency, the cyber way.  Optus also clearly understands that transparency around cyber breaches is not just about conveying breach details. Their statement describes in detail the actions it was taking once the incident was known, including containment actions, investigations having commenced, and the rationale around communications decisions. All of these details shed light on how the situation is being managed. 

A banner link at the top of their website to a dedicated page containing their latest statement on the incident and FAQs is also best-practice for cyber incidents. It gives customers a single place to go for the latest information.

They used lots of active language. Notwithstanding earlier criticisms about the passive sections in the CEO quote, large parts of the Optus statement were actually in active voice (see image below). There’s a well-worn cliché in security – “it’s not a matter of if, but when you suffer an attack”. When the attack comes, you need to be swinging into action fast to contain, understand and otherwise respond to what’s happened – which helps demonstrate you are taking accountability for what’s happened and what comes next. The active language conveys Optus doing that.  

They brought in the big guns. “Optus is working with the Australian Cyber Security Centre to mitigate any risks to customers. Optus has also notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators.” 

As a major telco, no doubt Optus has well-resourced cyber security and privacy teams. It’s nevertheless helpful to emphasise that you’ve engaged the authorities for help and are working with regulators openly. 

And the small mercies … No trite mentions of how much it “takes security very seriously”. Yes Optus! 

End of year wrap: What the Four Seasons Total Landscaping debacle taught us about privacy and security

It’s been a dumpster fire of a yearand so, for our end-of-year wrap, we looked to the most ridiculously hilarious moment of the year.

Here are five lessons we took from the infamous Four Seasons Total Landscaping debacle: 

Lessons on managing a data breach crisis (from an amateur conference organiser)

Tim de Sousa

It’s been a big year for elevenM – we’ve grown rapidly, taking on new people, developing new products and tackling new challenges.

One of my biggest challenges was actually an extracurricular one – the Annual Summit of the ANZ chapter of the International Association of Privacy Professionals (iappANZ). As specialist privacy and cyber security professionals, we have a close relationship with iappANZ, not to mention that one of our founders, Melanie Marks, is the current iappANZ President, and I’m on the Board. Which is how I ended up as the co-chair of this year’s Summit.

Law schools don’t really offer courses in event management, so I approached this completely, utterly blind. Ultimately, as a consequence of a great deal of hard work by many people, the Summit was a resounding success. But for me, the actual day was rather stressful and frantic as I tore around the place trying to do everything at once.

Basking in the relief of a completed job, it occurred to me that there were a lot of parallels between running a conference as a rank amateur and managing a data breach – high stakes, many moving parts, a lot of stakeholders, and limited time. I’ve dealt with literally hundreds of data breaches – they hold no fear for me. But this was entirely new territory. So, gin and tonic in hand, I jotted down a few of the more important takeaways.

  1. Bring in the pros, and do it early

I didn’t know anything about managing conferences. But we brought in some expert help – the good people at Essential Solutions. They’ve produced dozens of conferences. They understood all the likely friction points, had connections with suppliers and pre-existing relationships that they could leverage. This was a level of experience and expertise I didn’t have and couldn’t acquire quickly.

Having pros on the team meant they could help identify issues and problems while they were still molehills, and we were able to deal with them before they became mountains. This left me more able to focus on strategy and key decisions.

  1. Don’t be afraid to ask for help

On the day, there were a lot of small details and moving parts that had to be dealt with. Because I was frazzled and anxious, I insisted on managing all of this largely by myself so I could sure it got done – everything from making sure speakers got miked up, to timekeeping, to moving chairs on stage. This was, in fact, way too much for one person to do. Like data breach management, event management is a team sport.

I actually had numerous people throughout the day – iappANZ Board members – ask me if there was anything they could help with. And I smiled and thanked them and said we had it all under control. I think I did this largely on autopilot – my mind was so occupied with my lengthy to do list, I didn’t have the mental capacity to delegate. Which brings me to my next point…

  1. Plan ahead and allocate responsibilities

If you can’t think clearly enough in the thick of it to delegate, you need to do it before the crisis arrives. If I had known what would have to be done, asked for volunteers and allocated tasks in the lead up to the Summit, I would have been much better able to spread the workload.

A good data breach response plan can help you do all of this – it can include the contact details for pre-vetted expert support, set out the key steps of your organisation’s data breach response so you don’t have to scramble to work out what to do next in the heat of the moment, and clearly set out roles and responsibilities to avoid uncertainty over who should do what.

We weren’t able to do a dry run on the conference, but you can run simulated data breaches and other training to ensure that your breach response team understands the plan, and their part in it.

And when you’ve successfully managed the breach and the dust has settled, don’t forget to pour yourself a gin and tonic.

If you need help developing a data breach response process, or advice on managing a breach, you can call us at 1300 003 922 or email us at hello@elevenM.com.au.