Ten years ago, a data breach that compromised the details of a million people would have been big news. Today, it wouldn’t even make page ten—we regularly see reports that billions of records have been accidentally released. In just two of the biggest breaches on this list, 3.5 billion people had their records exposed to public view and potential criminal misuse.
But these breaches can also teach us something beyond the importance of good cybersecurity. As we’ve previously pointed out, US consumers abandon brands after breaches. Obviously, the way that you manage your PR after a cyberattack is very important. In this article, we’ll look at how to prepare to meet the PR challenges of a major security breach, and then look at how five of the largest breaches of recent years affected the reputation of the companies concerned.
Are you prepared for a data breach PR nightmare?
First, let’s answer the question we started out with—have the companies affected by the biggest data breaches survived them?
Well, with a few notable exceptions, the answer is yes. That’s not because data breaches aren’t dangerous, though. Rather, it’s because the biggest breaches have (in general) affected the biggest companies. These companies have (in general) the largest amounts of cash reserves available to deal with the fallout.
That said, even some fairly large companies (such as Adult Friend Finder) have been forced to close, or at least rebrand themselves, after a data breach. Further, in many instances this was not due to the breach itself, but rather because the company concerned handled it badly.
In other words, they didn’t take the basic steps necessary to protect themselves from the PR consequences of a data breach. These can be summarized as follows:
- Have a communications plan in place that gives details of how you will communicate about a breach, who will do this, and when. It’s important to be open and honest about a breach. Doing this establishes trust among shareholders and customers that you take their data security seriously.
- Establish a dedicated channel for communicating with customers about the breach, where they can find information and access advice about how they can help.
- Be as open as possible about the consequences of the breach, but not before time. You will need a few days (or, at most, a few weeks) to establish the size of the breach and make sure the vulnerabilities are patched. As soon as this is the case, however, you should be as clear as possible about the data that was stolen.
- Offer information, not excuses. Your customers aren’t interested in you blaming a security vendor for releasing their personal details into the world—they want to know what they can do to protect themselves from the consequences.
If handled correctly, a data breach need not be a disaster. In fact, though we would stop short of calling a cyberattack an opportunity, it can be a chance to show customers and shareholders that you take your responsibilities seriously. Keep that in mind as we look at the worst data breaches of recent years. You’ll notice how a company’s response to a breach is often the deciding factor in how damaging it is.
The first of our massive data breaches affected software company Adobe. In October 2013, Adobe admitted that 153 million user records had been stolen by hackers. Given the size of the breach, it’s not surprising that they didn’t make this announcement easily. In fact, it took investigative work by security blogger Brian Krebs to uncover the initial breach, after which Adobe was forced to admit its size.
This attack is notable not just for that—it was one of the first breaches that affected hundreds of millions of users—but also for setting a legal precedent. Adobe initially tried to deny it was responsible for the attack, but was then forced to sign an agreement in August 2015 that required it to pay a $1.1 million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was reported at $1 million.
Adult Friend Finder
Another supersized hack occurred in October 2016, when the FriendFinder network saw 412 million passwords stolen. This network, which included casual hookup and adult content websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com, stored user passwords protected only by the weak SHA-1 hashing algorithm, which allowed them to be easily decoded by determined hackers.
For our purposes, it’s instructive to note that FriendFinder was particularly badly damaged by the hack because it had claimed that it provided great security. It encouraged (and still does) users to use secure browsers and claimed that their details were protected. As a result, the news of the breach ushered in a swift decline in the entire line of websites.
A more recent hack hit Equifax in 2017 when the personal details of 147.9 million customers were posted on the dark web. Though the source and mechanism of the attack remains confusing even now, the damage done to Equifax’s brand was immediate and unambiguous.
This damage was exacerbated because of the nature of the business that Equifax is in—banking and finance. While no one likes having their personal details exposed to the world, they can tolerate this if the information is relatively unimportant or not financially related. Oops. In this case, the breach compromised the personal information (including Social Security numbers, birth dates, addresses, and in some cases drivers’ license numbers) of 143 million consumers. An additional 209,000 consumers also had their credit card data exposed.
Ultimately, Equifax recovered from the breach, but trust in the company was damaged, which in itself might have cost the company hundreds of millions of dollars. At a time when 50% of buyers find their homes through the internet, a reputation for poor data security is unlikely to make potential mortgage customers feel warm and fuzzy about the company.
Heartland Payment Systems
The hack that affected Heartland Payment Systems in March 2008 was notable for a different reason—almost no one among the 134 million people who had their details exposed had heard of the company before the incident.
Heartland was at the heart of payment processing in the US at the time. In 2008, it processed nearly 100 million transactions a month for more than 175,000 merchants. In other words, it was the largest company that no one had heard of. Then, suddenly, everyone knew about it for the wrong reasons. This breach was discovered in January 2009 when Visa and MasterCard notified Heartland of suspicious transactions from accounts it had processed. The news raced around the world at internet speed.
The consequences for Heartland were swift and devastating. The Payment Card Industry body (the PCI) barred the company from processing payments. It also paid an estimated $145 million in compensation for fraudulent payments.
Canva is an Australian graphic design tool which was hacked in May 2019. According to a later post by the company, a list of approximately 4 million Canva accounts containing stolen user passwords was later decrypted and shared online.
This hack has become something of a case study for cybersecurity professionals in the importance of securing each and every system. On the surface, the details stolen from Canva were not sensitive – merely a list of usernames and passwords. However, because so many people have so many user accounts, even this information is valuable to hackers. A disturbing number of people use the same details for sites like Canva as they do for their internet banking. For this reason, a list of “default passwords” is a hot commodity.
The bottom line
In conclusion, let’s revisit the question we started with—did these companies survive? Have they recovered?
Well, as is apparent from the list above, the answer is undoubtedly “yes.” With the notable exception of Heartland—which is subject to regulation by a powerful industry body—they were all able to ride out the damage caused by the breach and eventually return to profitability, one hopes with more secure systems in place.
And that, unfortunately, is the central dilemma of data: collecting it opens up the possibility of a breach and the ensuing damage to your reputation. But in 2021, companies have little choice but to collect data if they want to stay competitive.