Mark Forbes, the director of Icon Reputation, has shared his take with B&T on Optus’ data breach.
The scale of the Optus data breach is mind-boggling. The personal details of almost half the nation have been compromised, creating an unprecedented reputational and commercial crisis for the telco.
More than a week after the data hack was exposed, it is still dominating the media cycle, with Optus, and CEO Kelly Bayer Rosmarin, under siege; from disgruntled customers, government, consumer advocates and regulators. It is a crisis failure on multiple counts, almost all due to communication.
The flow of information from Optus has been slow, disjointed and lacking credibility. In a crisis, your communications and response will have a more long-term brand impact than the original incident, and Optus has been found sorely wanting.
Today CEOs are the face of their brands, the corporate reputation is intertwined with their own, and Bayer Rosmarin’s has taken what should be a terminal blow. Not only has she lost faith with customers and commentators, but she remains at loggerheads with the Federal Government.
A week ago, Bayer Rosmarin said the hack was a “sophisticated attack that penetrated multiple security layers”, only for Home Affairs Minister Clare O’Neil to dismiss the claim, suggesting it was a basic breach of security – with several cybersecurity experts agreeing.
“Responsibility for the security breach rests with Optus, and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” O’Neil said.
Several train wreck interviews have disrupted Optus’s communications response. Bayer Rosmarin ducked basic questions about data security and encryption, claiming “criminal proceedings were underway”. Security couldn’t be discussed because “bad actors also read the media”, she told Sky News.
Communications with customers have been poor and slow. It took four days from the announcement of the breach for the 9.8 million impacted to all be emailed. Surely an immediate mass email warning all 11 million Optus customers would have been more efficient, especially as the customer emails contained no personalised information about what data had been stolen.
The opening line of those emails expressed “great disappointment that Optus has been a victim of a cyberattack”, with no sorry to be seen. It did not flag compensation. Core to communicating in crisis are regret (a clear and heartfelt apology) and remediation (redressing the damage and ensuring it cannot reoccur).
It’s bizarre that Optus had the sense to place full-page ‘sorry’ ads for ballsing up the streaming of the 2018 World Cup (remember #floptus?), but we have seen no such proactive comms here.
Optus is still leaving customers in the dark on compensation and next steps, stating if they are not contacted, not to be concerned – prompting the government calls for customers to be proactive and not wait for Optus.
Customers complain they cannot get through to anyone from Optus, and bizarrely so is the purported hacker. Posting, then withdrawing, a demand for $1 million, he said he would have negotiated with Optus “if you had a method to contact”.
A Sydney-based tech reporter, Jeremy Kirk, contacted the purported hacker who claimed they pulled the data from a freely accessible software interface. Details of Optus accounts the man posted appeared genuine, experts said.
Revelations after several days that Medicare numbers had also been stolen further infuriated the government, which will continue to ramp up pressure for Optus to pay the bills.
Optus will be counting the cost for some time, with the government demanding it pays for replacing passports and other identity documents, but the ongoing brand damage is massive. A breach of this size was always going to have consequences, but an amateurish response has magnified them.
More broadly, every company should examine its cyber security precautions – with the government already signalling new laws with greater accountability and tougher penalties – and ensure they have a competent crisis response and communications plan.