Yahoo’s PR team had a stressful week Sept. 19-23. On September 24, the company confirmed that the data of at least 500 million users was exposed in a 2014 hack. A day earlier, Recode reported that the announcement was expected before it was officially confirmed, and the news rocketed around the world — and caused friction with Verizon, who was in talks to buy Yahoo at the time. It may be the largest data breach ever (that we know about).
Why does this matter for the rest of us PR folks (as we thank our lucky stars that we’re not having to deal with that dumpster fire of a situation)? Two reasons. First, because it might happen to one of our clients soon. Any digital company is at risk of a breach, and most companies are now digital companies. Hospitals have been hacked. POS systems at stores have been hacked. Social networking sites of all shapes and sizes have been hacked. If you represent a company that stores customer data on a network, especially any kind of personal data, a data breach is something you should be planning for.
Second, this situation can teach us a lot about the ethics of disclosure in a security incident. One of the main criticisms aimed at Yahoo in early coverage of the attack was that it waited 18 months to confirm the breach, which reportedly happened in 2014, and to notify customers. Several technical experts were skeptical that Yahoo had put enough effort into confirming the breach, fixing the problem, and protecting its users. Yahoo’s PR team is now between a rock and a hard place trying to justify the delay. While I’m sure Yahoo was not thrilled about explaining to everyone exactly how it had been attacked and what it was doing about it, disclosing this information earlier would have saved the company a lot of trouble now. Having this argument (with our bosses, if necessary) is part of our job.
Here’s an example of a similar situation handled differently. A Voxus security firm client was named in several articles about a new vulnerability that affected its products. After a few days of frenzied analysis, the company found that the exploit in question actually targeted products of a company it had acquired several years earlier and incorporated into its security offerings. The way the two had been integrated meant that the old exploit no longer worked and that current customers were safe. Our team did outreach to all of the journalists who wrote about the exploits and successfully got many of them to update their stories. While this is not the same situation that Yahoo found itself in, it shows the value of responding quickly and being as open and transparent as possible about the situation.
Here are some basic pointers on how to respond to a cybersecurity incident
- Respond quickly and update media frequently
- Go beyond apologizing to customers and explain the steps that are being taken to fix the security issue (both in detailed technical terms for experts and in simplified English for everyone else)
- Develop a crisis plan that includes details for a cybersecurity incident so that the company’s’ response can be more coordinated
These are tricky situations and there is no one easy answer. But given the increase in cyber attacks on an increasing range of companies, there are questions worth pondering. We may have to deal with them sooner than we’d like.