5 Branding Lessons from Past Data Breaches: What CISOs Need to Know

Experiencing a significant data breach might be your company's worst nightmare - but it doesn't have to be

If your reputation takes a hit because your data security has been compromised, there are a number of steps you can take to make things right. Launching your incident response plan should be your first move. When it comes to the time to notify your customers about the breach, honesty and transparency are pivotal to preserving the relationship with your customers during a crisis.

Communicating with your customers during these delicate times takes finesse, and it can be challenging to walk the line between being straightforward and reassuring. Collaboration with your C-Suite peers is essential to combating cybercriminals, but CMOs can also help you safeguard your brand identity while informing your customers about a breach. With 71 percent of CMOs worried about the negative effect a security breach can have on your brand, it's important to proactively involve CMOs in your communication plan. Working together, you can mitigate potential damage while guiding your customers through the situation.

Major U.S. cybersecurity firm, SolarWinds, is currently in the hot seat thanks to a malware attack that has potentially affected thousands of their customers. According to PR News, swift and ongoing communication with their customers from both SolarWinds and Microsoft will help mitigate long-term damage to their brand. Only time will tell.

We can learn a lot from how others have handled customer interactions during past breaches. Fortunately, there are plenty of branding lessons from past security breaches to mine. For these companies, the dust has settled, and we know that many came out the other side relatively unscathed. Some discovered the right strategies, while others fell short.

Let's take a few of the largest data breaches to date to see what has (and hasn’t) worked to help businesses bounce back from cyber attacks.

Adobe

In 2011, Adobe did what many technology companies have done – made the switch to the cloud. Unfortunately, the shift into a software-as-a-service business model did not go smoothly. Their lack of a cohesive security strategy left them vulnerable to a cyber attack. In an interview with CSO Online, Adobe’s CSO, Brad Arkin, explained that, after the attack, he reorganized Adobe’s security teams and was promoted to CSO. Previously, they did not have a C-level security title. Arkin leveraged these internal changes to improve their optics and demonstrate to the public that they were taking security threats seriously. They also promised to inform users if there was another breach.

The lesson: Your external message should reflect your internal security values.

Target

Target’s post-breach communication strategy was decidedly lacking in their signature personality during a massive data breach back in 2013. Letters informing shoppers of the attack were widely mocked for insensitivity, though they offered a free year of credit monitoring to those affected. Target's misstep is a perfect example of why you need to incorporate your brand's identity and values into your breach response plan.

The lesson: Make public responses to security breaches consistent with your core brand.

eBay

In 2014, hackers managed to access eBay’s account list of 145 million users. The attack exposed sensitive data like names, addresses, and dates of birth as well as encrypted passwords. As a result, their shares fell and three states came together to investigate eBay’s security practices. Coming on the heels of the Target breach, many were disappointed with eBay’s lack of immediate notification to their customers or push to change the compromised passwords right away. Their attempts to downplay the security incident backfired. Experts criticized them for not providing enough information about how they were handling their breach response – both in why it took them so long to find the breach in the first place and in how they were planning to protect customer passwords going forward.

The lesson: It might be tempting to put off giving bad news, but don’t wait to inform your customers about a serious security breach. And do provide adequate detail on your response.

Uber

Covering up a data breach can lead to worse outcomes than just customer turnover. Uber’s former CSO is being charged with obstruction of justice after failing to report a significant security breach back in 2016. Uber has continued work to do to repair the damage to their image this and previous missteps have incurred.

The lesson: Own your mistakes and admit when you’ve had problems. Transparency is the only way forward.

Equifax

Equifax’s security breach in 2017 was one of the largest and most significant data breach events ever to occur. As one of the “Big Three” credit reporting agencies, Equifax is a prolific gatherer of personal financial information. After the highly publicized breach, they found themselves in the awkward position of having exposed the personal data of 143 million Americans, which did little to endear them to the public. The hit to their brand identity was noticeable: in the days after the breach, they saw their US RepTrak score plummet by 14 points (down 52.5 from 66.5), with most of the drop attributable to declining trust in their corporate governance. In the years since, Equifax has focused on boosting internal security to win back public trust.

The lesson: Go back to basics and build security your customers can believe in.

If there is one thing all businesses can take from these lessons it’s that you can never be over-prepared for that inevitable data breach. Build a cross-team approach for your response today so that when a breach occurs, you’re ready to take action to protect your customers and your brand. IDX’s no cost MSA Priority Response solution helps ensure that your company is ready for today’s highly complex and dynamic cyber threat landscape.