In 2017, Big-Box’s IT systems were compromised, leading to a large leak of customer information. According to preliminary data, the personal information of about a million users was disclosed. First, the company created a crisis communication group to collect, process, and disseminate information necessary to resolve the current situation. The first reaction directed at customers was a formal statement from the CEO of the incident, detailing and indicating the steps taken to resolve the issue. The report was posted only on the company’s website, although Big-Box also has Facebook, Instagram, and Twitter accounts. The company apologized on the website and offered affected customers a plan to access credit monitoring services at the expense of Big-Box.
After the official announcement, reliable information has already appeared that the actual data leak was more than expected. Moreover, the data of about five million clients were disclosed. As a result, the company had to issue a second statement, which considered the results of the scoping assessment and expanded on the benefits outlined in the company’s original report. After the second statement, no information about the situation was reported on social networks.
Moreover, the message about the crisis was presented exclusively in text documents, in the press section. Therefore, it was difficult for clients to find any information about the incident. Big-Box’s communications team also did not create videos or infographics to disseminate the report. Besides the fact that no statements were made on social media, and Big-Box pages were filled with resentful customers with calls to action, the company showed no reaction.
Obstacles and Missteps Made by the Company
The main mistake of the company can be considered that it was not ready to quickly respond to the problem that arose, namely the information leak. One of the leading strategic mistakes is a sincere belief that nothing wrong can happen. Therefore, when information leaks or a system is compromised, no one knows what to do. Consequently, the first reaction will not be an effective solution to the problem that has arisen. Employees do not understand how to act, and management is afraid to try to react after the fact without a clear plan of action. Time is running out, the crisis is gaining momentum, and costs and damage are increasing exponentially. As a result, there is no adequate response to the incident, and the consequences become catastrophic.
In addition, due to an incorrect assessment of the scale of the disaster, the company made what can be considered a hasty statement, which in the end can be regarded as false. A correct assessment of the scale of an incident is critical to minimizing damage and responding appropriately. As a consequence: distrust due to hacking was reinforced by distrust after a mistake made by management.
Since this is a severe data breach in a large public business, a public announcement is an inevitable part of the crisis response. Although the company made an announcement, it was only posted on its website, meaning many customers might not have seen the report. However, there were already suspicions that there were much more victims than was announced the first time. Moreover, it was difficult for clients to find all the ads since they were not posted on the site’s main page.
When a leak is found, the first thing to do is to restart, speed up, change, or even reverse decisions and business processes involving the stolen information. These measures will save the company money and allow management to move on to the following steps: investigation and remediation (Varma, 2020). In the interest of the most outstanding possible security, it was possible to reassign all usernames at random so that no links could be made between forum posts, previous usernames. That is what the management of the SPIEGEL website did when they discovered a security hole in the software used in its community zone (Der Spiegel, 2021).
It is also very important to make sure that email addresses and the forum pseudonym are maintained. This way, the username changes automatically, but the customer can change it again in the settings at will. At the same time, the history on the site is saved, but, if desired, the client could use the Erase everything function to delete it.
The organization can create a user guide to, firstly, show the company’s interest in customers, which, secondly, will help build customer confidence. For example:
- Step 1: Check what data you have uploaded to the site.
- Step 2: Change your password; if you are using a vulnerable password for multiple accounts, change it everywhere.
- Step 3: If your account number or credit card number becomes public, report it immediately to your bank.
- Step 4: Check your credit profile for identity theft.
- Step 5: Keep your passwords secure and encrypted.
Make an announcement on social networks and the site’s home page so that as many customers as possible can see the information, were also to post a user guide.
Since the information about the leak has become publicly available, you can also involve PR specialists. The company should be open with the media and talk about the measures taken to prevent this situation from recurring in the future (Eriksson, 2018). That will show customers that the company cares about them, even to the detriment of its reputation and image. While the risk of a data breach can never be completely ruled out, some measures can mitigate the consequences in such a case.
Roles of Crisis Communication Team Members
As a rule, the success of crisis communications often depends on two main factors: first, the place and role of communications or PR in the structure of the organization. The second is the preparation of the crisis communication team and its interaction during the crisis. That is, the crisis communication team should have a cross-functional nature. To make a quick and effective decision, the crisis communication team must constantly undergo crisis communication training, develop an algorithm for fast decision-making, and prevent the dominance of authority and social conformism. The crisis communication team includes all stakeholders, including directors, PR-managers. In addition, clients, as a target group, are directly involved in overcoming the crisis. Their reaction largely determines whether the company will cope with the problem. Based on this, the role of stakeholders is interdependent.
Recommendations for Adaptation and Effective Response to Future Crises
To work out the incident, it is necessary to carry out both internal works to identify the perpetrators and external work aimed at interacting with the public and regulators. Therefore, first of all, it is important to notify regulators and customers of the incident (Maniatis, 2018). Focus on strengthening protection:
- Introducing mandatory encryption.
- Differentiating access by smart cards.
- Introducing more advanced protection against leaks, like DLP systems.
It becomes clear that the audit strategy and the protection of the most valuable information in an enterprise database are of the highest priority, when the impact of a database breach is given.
It is important because a user cannot sue a company if an attacker penetrates the network perimeter and turns several personal computers into zombie spam. However, the company can be sure that litigation is inevitable if the company loses hundreds of thousands of customer records, primarily if identity theft occurs. That is why it is essential to implement data leakage prevention technologies in the company.
A well-configured DLP device, used as a last line of defense, can prevent some cases that could lead to data leakage. When used in a DMZ, DLP solutions can stop the leakage of specific types of information (Luburić, 2019). The second type of system is special software or hardware for gateways that analyzes all traffic that goes outside the company. After careful configuration, such systems allow detecting the transfer of confidential information at the time of sending the data, suppress the fact of violation, and identify the culprit.
Companies tend to learn about these violations from third parties, not their own employees and technology, so it is important to create systems that reduce the risks of a crisis. Privileged Identity Management (Product Information Management) can be another helper in crisis prevention. PIM products automate the management of powerful administrative accounts by addressing issues such as shared administrative accounts and passwords, unnecessary administrative privileges, separation of duties, and password changes (Kumar & Bhardwaj, 2018). They also provide customized reports and audit evidence of the application of security policies and controls.
No company is completely immune from information leakage or cyberattack. Such incidents, unfortunately for business owners, are regular. For each crisis situation, you can prepare yourself a different plan and follow it if something happens. The most important thing is to remember that a crisis can happen to every company, and it is important not that it does not happen but how the company reacts to it.
DER SPIEGEL. (2021). In eigener sache: Sicherheitsvorfall Bei der community-software “Talk”. DER SPIEGEL. Web.
Eriksson, M. (2018). Lessons for Crisis Communication on Social Media: A Systematic Review of What Research Tells the Practice. International Journal of Strategic Communication, 12(5), pp.526–551. Web.
Kumar, V., & Bhardwaj, A. (2018). Identity Management Systems. International Journal of Strategic Decision Sciences, 9(1), 63–78. Web.
Luburić, R. (2019). A Model of Crisis Prevention (Based on managing change, quality management and risk management). Journal of Central Banking Theory and Practice, 8(2), pp.33–49. Web.
Maniatis, G. (2018). From a Crisis of Management to Humanitarian Crisis Management. South Atlantic Quarterly, 117(4), pp.905–913. Web.
Varma, T.M. (2020). Responsible Leadership and Reputation Management During a Crisis: The Cases of Delta and United Airlines. Journal of Business Ethics. Web.