A week of cyber security breaches puts crisis comms plans under the spotlight

Crisis comms mechanisms were whirring at three major UK firms last week, as British Gas, Marks & Spencer and TalkTalk suffered data breaches - and under a new EU regulation firms must be even better prepared in future.

Facts and clarity are key to your comms in the aftermath of a data breach, PRs say (Credit: r2hox via Flickr)
Facts and clarity are key to your comms in the aftermath of a data breach, PRs say (Credit: r2hox via Flickr)

On 22 October, telco firm TalkTalk moved to reassure customers after the Metropolitan Police launched an investigation into a cyber attack initially reported as linked to an "Islamic cyber jihadi group" by some media.

On 28 October the BBC reported that Marks & Spencer’s website had been suspended for two hours the night before due to a glitch – which the company said was the result of an internal error – that exposed customer details, and 29 October saw reports of British Gas suffering a similar problem.

The three events coming in quick succession ensured the broader issue got even more coverage than might have otherwise been expected.

Yvonne Eskenzi, co-founder of cyber-security PR specialists Eskenzi PR, said that just as every company will at some
point suffer a breach or glitch, so each company needs to have a plan in place for comms following it – and that this will become mandatory under the EU’s General Data Protection Regulation, which she says is due to come into force "within
the next few months".

"Once the new regulation comes into effect at the end of the year companies are going to have to become PR ready as cyber-attacks and breaches will become more of a common phenomenon," said Eskenzi, whose firm ran a new week-long cyber security awareness event last week.

She said that TalkTalk CEO Dido Harding appeared "like a lamb put to slaughter as she wasn’t briefed before giving interviews", but added that this was not necessarily her fault, saying: "IT security is complicated and most CEOs haven’t
the faintest idea of what’s going on.

"Talk Talk did the right thing in communicating quickly with their customers which was very refreshing compared to most other breaches that have been announced, but Dido Harding came unstuck because she was out of her depth."

Tim Knight, an account director at the agency PLMR, who had blogged about TalkTalk's security breach as the situation unfolded, said none of the three firms had covered themselves in glory with their comms plans.

"Initially, TalkTalk did well to front up and used the media as a vehicle to reach its millions of customers. TalkTalk has shown concern, and has been clear that its customers are the most important people here," he said – but added that their inability to "answer some absolutely fundamental questions – such as how many customers have been affected, whether or not data was encrypted, and what compensation package they will be offered" meant they eventually lost control of the story.

However, he did say that TalkTalk’s decision to suspend its high-profile sponsorship of ITV's X Factor was "wise".

On M&S, Knight said the firm's hard-won reputation made it "more resilient to crises like this" but criticised its decision to make apologetic statements via anonymous spokespeople. "For large corporations like this it is advantageous to give the company a human face, so that customers can more easily relate," he said.

Knight was also unimpressed by British Gas – which declined to offer any statement when contacted by PRWeek, and has not posted a statement online about the issue, or tweeted about it other than in response to individual queries. "British Gas is missing a trick here – it could use its Twitter account to show itself to be open, sympathetic and helpful. Instead, dodging the issue makes them look evasive and slow to react," he said.

Gay Collins, founding partner of Montfort Communications, said: "However prepared you think you are, the general public will respond faster than you could ever expect, with more emotion than anticipated, and then will feed off the responses of any stakeholder that cares to reply.

"The media generally takes the side of the consumer, so putting yourself in their shoes is a good place to start when crafting responses. Say how sorry you are, but also outline facts – steps taken to guard against; speed of response; action plan, how the customer should respond from here. This is not the time for making excuses or trying to blame others."

Would you like to post a comment?

Please Sign in or register.