On 21st October 2015 customers of UK telecoms provider, TalkTalk, found that they couldn’t access their email, and the brand’s website was also down.
The next day, TalkTalk announced that it had been hacked. Major national news outlets on television, in print and online declared that the provider’s four million customers dates of birth, names, addresses, emails, phone numbers and bank details could have been stolen by hackers.
But this wasn’t the first time TalkTalk had suffered from a data breach. In February 2015 customers found themselves being targeted by scam callers after hackers targeted the brand, with some complaining to the media that customers service representatives had dismissed a call to warn customers of the threat.
In August, hackers targeted Carphone Warehouse, which ran the TalkTalk mobile site. TalkTalk had to release a statement on the issue as around 480,000 of its customers could have been affected.
The October attack turned out to have impacted almost 157,000 customers, rather than the initial four million figure plastered across various media and social media channels, but that figure wasn’t published until around three weeks later. By which time it was determined that more than 15,000 bank account numbers and sort codes, and 28,000 credit and debit card details had been accessed.
The media reported that some of the data that was accessed had not been encrypted.
The response
Customers, some of whom were already frustrated with the provider, turned to social media to complain about the latest breach and poke fun at the brand.
It’s still not clear where, or when, the VCR picture was taken, but it doesn’t really matter. The perception it generated online and in forums was supporting the idea that the brand was behind-the-times when it came to technology and IT security in general.
Media
The brand wasted no time in getting the CEO out to the media, in fact Dido Harding appeared on Newsnight on the evening that the brand announced that the breach had happened.
Over the next few days she appeared across all of the mainstream TV channels being interviewed live.
During the Newsnight interview the CEO clearly didn’t have all of the answers, as the attack had only happened the day before. The interviewer questioned why customers hadn’t been informed at the time, and the CEO made it clear that she was making herself available for media interviews to get the news out to as many customers as possible, as quickly as she could.
Kirsty Wark: “People’s bank account information could have been compromised since lunch time yesterday.”
Dido Harding: “They could have been, but I didn’t know. I didn’t have any inkling at lunch time yesterday that that was the case. You have to have a basic amount of information before you start communicating.”
Communication is vital during a crisis, but that communication needs to be calm and factual, not create more panic. It doesn’t help that some of the security advice Harding was giving during her interviews was incorrect (as pointed out by computer security expert Graham Cluley).
Keeping customers informed
The concern raised by Newsnight presenter, Kirsty Wark, when she asked why the company had delayed in informing customers, was mirrored by the customers themselves on social media. Some customers took to social media to complain that they only found out about the breach through the media, not from TalkTalk itself.
As the crisis continued, the brand developed a page on its site dedicated to providing updates on the situation.
But in the initial stages of the crisis, TalkTalk appeared to be focused on communicating with their customers primarily through media interviews which did more to provoke panic than reassure people that they had the matter in hand.
Refusing to let people out of contracts
Customers complained that the brand was refusing to let them out of their contracts without paying for their remaining fees. This resulted in yet more bad publicity for the brand, and considerable anger on social media. Some media outlets contacted lawyers who confirmed that customers should be allowed to leave.
“We have spoken to legal experts who believe customers can prove TalkTalk has not taken due care to protect and preserve their personal data — therefore making its own contract void.”
Sending the wrong message
By mid November, it became clear that the attack hadn’t affected as many people as first feared. TalkTalk then told The Inquirer that it had decided not to let people out of their contracts for free, unless they had a crime number to prove that they suffered financial loss from the breach.
The CEO also defended the companies security practices to the Sunday Times, stating that the data: “wasn’t encrypted, nor are you legally required to encrypt it. We have complied with all of our legal obligations in terms of storing financial information.”
It’s now offering free upgrades to customers. However, it will take far more than a boost to wifi speed to earn back their trust.
Shares in TalkTalk fell on news of the hack, and have yet to recover.
Data breaches, especially those involving financial and identity information, aren’t just a reputation crisis for the affected brand. They are personal problems that customers have to deal with. They are the ones who will need to get new debit cards, and be extra vigilant over emails and phone calls. They are the ones who will worry about fraud.
In this situation, brands need to not only communicate in a clear, calm manner, but show a great deal of empathy and understanding. They need to prove that they have learnt from the experience, and show that they understand how important trust is when people hand over their financial and personal details. Whether TalkTalk has shown this is a matter for debate.
Perhaps most importantly, a brand under such intense public scrutiny needs to ensure that its spokesperson is fully briefed, knowledgeable about the issues and can anticipate the questions that will be asked of them. Yes, quick communication is vital, but not at the expense of a calm and considered response.