The MOVEit supply-chain hack led to the leakage of personal data of thousands of current and former staff across the BBC, British Airways, Aer Lingus, Boots, EY, Transport for London and with the media watchdog, Ofcom, finding that payroll data has been stolen.
Data was stolen because Zellis, a company used to process payroll, used MOVEit, a data transfer tool created by a company called Progress Software. Hackers found a way to break into MOVEit but Zellis themselves seem to be as much a victim of a vulnerability in MOVEit’s code as its client. The result of this was that, on a sunny Friday afternoon, as seems to always be the case for such incidents, Zellis went into crisis comms mode. By the Monday morning, its clients such as Boots, BA and the BBC started to communicate the breach to its staff and to the media.
This may seem like a financial emergency. Yet, in reality, the same amount of concern needs to be given to the reputational damage. As Boots and others understood, it was as much of a communication crisis as an economic one. Data breaches like this can quickly escalate into a business crisis, leading to high-profile negative media attention, financial losses, operational disruption, and damage to customer loyalty and investor confidence.
The companies caught up in the MOVEit hack had a legal duty to report the breach. Legislation in the USA, UK, and the EU requires businesses to report data breaches like this to regulators within 24 to 72 hours of becoming aware. Some sectors, such as finance, health, education, and utilities, have enhanced regulations. Not complying with these rules can result in fines, with directors held liable, but how you communicate the breach is critical.
Boot and British Airways, for example, emailed all staff telling them if they have been cited as a specific person whose data was at risk or not. While its comments to the press clearly demonstrated fault was not theirs:
“We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”
“We have been informed that we are one of the companies impacted by Zellis’ cyber security incident which occurred via one of their third-party suppliers called MOVEit. Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.”
While reporting incidents to regulators is a legal requirement, how you communicate any data breach to wider stakeholders, including customers, partners, the media, industry peers, and staff on the other hand, is a much more nuanced endeavour and the approach taken can vary from company to company.
Hacks gain mass media coverage. In the first instance, news desks will report an incident without too much examination into how a breach unfolded and will run whatever statements they are sent – even leaks from disgruntled staff who are not aware of all the facts. It could be days before the more technical cyber security press report on the details of what happened. For most firms’ reputations are formed or hurt within the ‘golden hour’ of the news of the breach breaking.
It is critical that cyber security crisis communication experts are brought in at the earliest opportunity and be fully briefed on all the details and kept updated on all developments. Experts can help hone the message, making sure the key top lines are consistently communicated in all correspondence, from detailed CSO-to-CSO or GC-to-GC information sharing, the internal communications and of course press statements. It is vital that the detailed facts are translated into easy-to-understand synced lines.
However, bringing a cyber security communication team in after a hack will be too late. Every business should have a cyber security crisis communication plan, a plan which is regularly stress tested, where several cyber security scenarios will be played out and the responses analysed. The communications “pen test”.
When an incident occurs, it quickly escalates into a business crisis. Business needs to ensure they are compliant, ready, and tested for a data breach of their own. When a company communicates a data breach it must have aesthetic, clear, calm, and professional communication procedures, and messages to deal with the make-or-break business-critical situation. Communication is key, that is a business hack we want to get out there.
Nic Conner is an Account Director at PRO
PRO are cyber crisis communication experts. It supports its clients with:
PRO offer monitoring and regulatory insights service to retained clients.
PRO take a dive deeply into business crisis communication operations reviewing any current policies and procedures..
Cyber crisis communications procedure handbook and boardroom-level booklet
PRO produce cyber crisis communications procedure handbook.
Up-skill the wider staff on knowing what to do during a cyber crisis.
PRO test the capabilities of business communications procedures with a real-time workshop where several cybersecurity scenarios will be played out and the responses tested.
To discuss how we can support your organisation or for more information on any or all of the above please contact [email protected]