Despite suffering a major data breach that briefly dominated news headlines, shares in UK telco TalkTalk bounced 12 percent immediately following the announcement of their half-yearly results. This comes after a 30 percent fall in share prices in the period since the breach.
TalkTalk’s response to the attack will be studied for years to come. CEO Dido Harding (pictured above) was proactive in engaging in the media, warning customers about the risks before all the facts had been established. Some criticized this approach, not least because it prompted speculation that all 4mn customers may have been affected. After more investigation, TalkTalk later announced that the personal data of 156,959 customers had been breached. Of those customers, only 15,656 bank account numbers were revealed. The details of 28,000 credit and debit cards were sufficiently incomplete that they could not be used for financial transactions or to identify the customer.
It is arguable that less damage would have been done to TalkTalk’s share price if they had waited to gather more information before going to the press. However, I do not agree with this argument. To begin with, it misrepresents the responsibilities when dealing with personal data. Personal data belongs to the people who are the subject of the data, not to the shareholders who own the company that collected the data. The risk to customers must hence take priority to the risk to shareholders. Secondly, as customers become more savvy about the realities of lax corporate security, they will be less lenient towards businesses that hide important information from them. It is better to temporarily lose trust by being transparent and then regain trust through continued transparency, than to hide important information from customers and to subsequently lose their trust forever.
TalkTalk estimated the attack would reduce full-year profits by between GBP30mn to GBP35mn (USD46mn to USD53mn). Though this cost is large, a roughly $50mn bill was considerably less than many investors would have feared, encouraging the bounce back in TalkTalk share prices. All customers will be offered a free service upgrade to reward them for their loyalty. Early data suggests that relatively few customers have cancelled their contract because of the weaknesses in TalkTalk’s security. Harding told the BBC:
It’s too early to tell how many customers will leave as a result of this data breach. What I can tell you is that the early signs are encouraging. We of course saw an immediate step up, a spike, in churn or customers canceling their direct debits but actually after a few days we saw many of those customers reinstating their direct debits again.
Cynics might note that one reason for limited churn would be the penalties levied on customers if they terminated their contract early. Many TalkTalk customers have 2-year contracts for bundled mobile, fixed line, broadband and television services, meaning they would pay a hefty price for switching providers before the contract expired. Furthermore, TalkTalk announced it would only waive the penalties for early termination if customers could show the breach had a “direct impact” on their bank account. Under such circumstances, it was inevitable that few would pay the cost of ending their contract immediately. What will be harder to judge is the impact on renewals when contracts reach their end.
Whilst Harding will win some plaudits for transparency, we should keep in mind that she talked around some important security weaknesses. For example, she stated:
This is not just about TalkTalk. This is the crime of our era, and we’re committed to doing everything in our power to protect our customers.
However, the scale of the risk was great precisely because the firm had not encrypted the data that was breached. As every firm can choose between encrypting or not encrypting personal data, the ‘everything in our power’ argument is clearly hogwash. More bluster followed when the BBC pressed Harding about encryption:
I can confirm that we’re compliant with all encryption requirements for the industry, but actually it’s not just about encryption…
Compliant with requirements? She sounds like a woman who was challenged about why she wore a bikini for a trip to the North Pole. Maybe she complied with moral and legal codes about her appearance, but that does not mean she was appropriately dressed.
The fig leaf that saved TalkTalk from more embarrassment was that credit and debit card numbers were ‘obscured’… which is just a fancy way of saying that the compromised web system did not actually possess copies of complete card numbers. Whilst this undoubtedly limited the potential harm to customers, I find it hard to believe this was part of a thoughtful strategy for securing data. If it had been, TalkTalk would not have taken so long to determine that there was no risk to customers of unauthorized transactions as a direct result of criminals using the compromised data. Encryption is obviously less of an issue if the data that has been compromised is not sensitive, and incomplete credit card numbers are clearly less sensitive than complete ones. So whilst Harding keeps insisting how much TalkTalk cares about security, she clearly did not understand the firm’s basic approach to security either before, or immediately after the breach occurred.
When reviewing how to manage risk, many will focus on the way TalkTalk handled the aftermath of this breach. However, this event should illustrate the most basic of choices: whether to invest time and money into the prevention of bad things before they happen, or to invest time and money planning for how to deal with crises that will sometimes occur. Ideally you should do both, but the need for one is influenced by the extent of investment in the other. Being very good at crisis management may encourage some businesses not to invest in security. On the other hand, firms that reduce the likelihood of risks will have to deal with fewer crises.
In this instance, whilst TalkTalk has handled the media well, I doubt that the changes needed to prevent this attack would have cost anything like the USD50mn bill they now expect to pay. Harding keeps talking about cybercrime being the crime of our generation, but most of the people arrested so far have been teenagers, not hardened professional hackers.
Perhaps TalkTalk have learned their lesson, and will do a better job of investing in security before the next attack hits them. If so, that attack will not feature in the news, because there will be nothing major to report. Even so, we can learn from how TalkTalk handled the media and tried to turn the story to their advantage, by presenting themselves as victims, whilst emphasizing speedy communication, responsive management and relatively low-cost ways of showing they care for customers. For a good example, look below at Harding’s announcement of the half-yearly results, which includes a statement about the data breach.
https://www.youtube.com/watch?v=ooZLRPzh1mw
