Data breaches have become an all too unfortunate reality for many businesses. The repercussions of a data breach extend way beyond financial loss and litigation. Ineffective communications during a data breach can also severely damage a company’s reputation and erode customer trust.

To mitigate these risks, companies must communicate the crisis effectively and transparently with their stakeholders. This post explores how to best communicate in the wake of a data breach, drawing on real-world examples to highlight strategies that work and those that don’t.

Understanding the Stakes

When a data breach occurs, customers are understandably concerned about the security of their personal information. This anxiety can quickly escalate into anger and mistrust if they feel that a company is not being honest or proactive in addressing the issue. The primary goals in communicating during a crisis like a data breach are to reassure your customers, maintain transparency, and demonstrate that the company is taking concrete steps to resolve the situation.

Case Study: Target’s Data Breach

In 2013, Target experienced one of the largest data breaches in history, affecting over 40 million credit and debit card accounts. Initially, Target’s response was slow and lacked transparency. The company waited several days before publicly acknowledging the breach, and the details they provided were vague and evasive. This delay and lack of clarity led to widespread criticism and a significant loss of customer trust and revenue.

What didn’t work:

• Delayed Response: Target’s slow reaction gave the impression that the company was either unaware of the breach’s severity or was attempting to downplay and cover up its impact.
• Lack of Transparency: The initial communications were not detailed enough, leaving customers uncertain about what had happened, how it affected them and what to do to protect themselves.

What may have worked better:

• Immediate Acknowledgment: Promptly acknowledging the data breach would have shown that Target was on top of the situation.
• Detailed Information: Providing clear and detailed information about the breach and its potential impact on customers would have helped to reassure them.

Case Study: Equifax’s Data Breach

In 2017, Equifax disclosed a data breach that exposed the personal information of 147 million people. Equifax’s response was widely criticized for its poor handling of the situation. The  breached data included highly sensitive information such as: names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. The credit card numbers of approximately 209,000 consumers were also breached. 

The company waited six weeks to announce the breach, and when it did, the communication was confusing and inadequate. How the company handled the breach was widely panned and resulted in a class action lawsuit.

What didn’t work:

• Prolonged Silence: The six-week delay in announcing the breach eroded trust and suggested a lack of urgency.
• Confusing Messaging: Equifax’s communication was not clear, leading to confusion about what actions customers should take to protect themselves and even what data was actually compromised.

What may have worked better:

• Timely Disclosure: Announcing and being upfront about the breach as soon as it was discovered would have demonstrated a commitment to transparency.
• Clear Guidance: Providing straightforward instructions on how customers could protect themselves would have been more helpful.

Marriott Hotels Data Breach on how to communicate effectively

In 2018, Marriott revealed that its Starwood guest reservation database had been compromised, affecting approximately 500 million customers. Marriott’s response was generally well-received because the company acted swiftly and communicated effectively.

What worked:

• Prompt Notification: Marriott quickly informed customers about the breach, reducing uncertainty and speculation.
• Comprehensive Details: The company provided detailed information about the breach, including what data was compromised and what steps were being taken to address it.
• Supportive Actions: Marriott offered free credit monitoring services to all affected customers. This type of outreach demonstrates a commitment to helping customers and to also manage any potential fallout.

In addition to the excellent communications approach that Marriott Hotels took in managing the breach, they also relied on Cybersecurity Insurance which helped limit losses. 

Case Study: Booking.com data breach 

Booking.com, a leading online travel agency, has faced significant challenges with data breaches over the past few years. The most recent incidents highlight vulnerabilities exploited by hackers targeting their hotel partners, with sensitive customer information being accessed and sometimes sold on the dark web.

What didn’t work:

• Delayed Notification: One of the primary criticisms Booking.com faced was the delay in reporting breaches. In a previous incident in 2018, the Dutch Data Protection Authority (DPA) fined Booking.com €475,000 for reporting a security breach 22 days after it occurred, far exceeding the 72-hour notification requirement under GDPR. This delay significantly impacted customer trust and highlighted weaknesses in the company’s internal reporting processes.
• Complex Communication Channels: Booking.com has struggled with efficiently communicating the steps customers need to take following a breach. Customers found the guidance convoluted, which added to their frustration and uncertainty during a critical period.
• Perceived Lack of Control: Despite clarifying that breaches did not affect their core systems but rather their partners’ systems, Booking.com struggled to reassure customers fully. The constant emphasis on partners’ vulnerabilities sometimes made customers feel the company was deflecting responsibility and not acknowledging that they even have a problem.

What worked:

• Transparent Acknowledgment: Booking.com has made efforts to openly acknowledge the breaches once identified, which is crucial in maintaining some level of trust. The company has been upfront about the nature of the breaches, specifying that hackers accessed hotel partners’ login credentials rather than Booking.com’s primary databases.
• Customer Support Initiatives: In response to the breaches, Booking.com implemented several support measures for affected customers. These included helping customers recover lost funds and providing clear guidelines on avoiding scams. Such actions demonstrate a commitment to customer care and can help mitigate some of the negative impacts of the breach.
• Proactive Measures with Partners: Recognizing that many breaches occurred through hotel partners, Booking.com has taken steps to enhance security awareness and training among its partners. This includes publishing best practices and working closely with partners to secure their systems against future attacks.
• Learning from Mistakes: Booking.com has shown a willingness to learn from past errors. Following the delayed notification incident, the company improved its internal reporting mechanisms and increased education on privacy measures among employees and partners. 

These steps are crucial for preventing future breaches and ensuring a timely response if and when they occur.

Effectively Communicating a Data Breach

Based on these case studies, here are some best practices for communicating during a data breach:

• Act Quickly: Speed is not only crucial, but it’s also a legal requirement. As soon as a breach is confirmed, notify customers and stakeholders. Delays can not only lead to speculation and mistrust, but may also result in costly legal issues.
• Be Upfront and Transparent: Provide clear and honest information about the breach. Explain what happened, what data was compromised, and how it may affect customers.
• Offer Support: Show that you care about your customers by offering support services, such as free credit monitoring or identity theft protection.
• Regular Updates: Keep the lines of communication open. Provide regular updates on the status of the breach and the measures being taken to resolve it.
• Apologize and Take Responsibility: A sincere apology can go a long way. Acknowledge the company’s responsibility and express regret for any inconvenience or harm caused.
• Learn and Improve: Use the breach as an opportunity to review and improve your security measures. Communicate these improvements to your customers to rebuild trust.

Final Thoughts

A data breach can be a critical moment for any company. However, with effective and transparent communication, it’s possible to navigate the crisis, maintain customer trust, and emerge stronger. By acting quickly, being transparent, offering support, and learning from past mistakes, companies can turn a potential PR disaster into an opportunity for growth and improvement.

For more information on how we can help keep your systems secure and up to date, see Security at Horn IT.