Words: Caity Dalby
          Photography: Adobe Stock/Creative Commons
                                                                             A BREACH MAY BE
                                                                             BUT HOW YOU REACT,

Data breaches can happen at any time, anywhere, and affect any
organisation. So how can you ensure that you’re prepared to deal
                                                                             AND RECOVER,
                                                                             SHOULDN’T BE.

with cyber attacks as and when they happen?

Having a defined, documented and well-distributed internal data breach
communications strategy - supporting and enhancing the companies’
wider recovery plan - is key to managing an unpredictable cyber attack.
A breach may be unpredictable, but how you react, communicate, and
recover, shouldn’t be. And with British Airways being handed a record fine
by the Information Commissioner’s Office (ICO) for their 2018 data breach,
cyber resilience is of paramount importance. [1]
Cyber resilience is defined as the ability
       of an organisation or business to anticipate,
       withstand, contain, recover, and evolve after
       a data breach (The Chartered Institute of
       Procurement & Supply, CIPS). [2]

       When approaching these principles of cyber
       resilience, they can be separated into three
       primary stages: Before, During and After.
       Planning an extensive communications
       strategy for each stage, whilst ensuring you
       have a cohesive plan that touches every point
       in the business, is the key to cyber resilience.
       How you utilise your PR and comms to manage
       an unpredictable cyber attack can be the
       difference between substantial fines and
       surviving a data breach with minor
       reputational damage.

       We look at the Before, During and After stages
       in the process of managing an unpredictable
       cyber attack, with examples of the good,
       the bad, and the ugly in cyber resilience.

Preparation and Planning

Firstly, you need to define what a “data
breach” means to your company.
Every company is different in whose data
it holds and how it stores that information.
There needs to be a definitive idea of what a
data breach or cyber attack looks like for your
company and a company-wide understanding
before you can plan your withstand, contain,          THERE NEE
recover and evolve strategy.                                     DS
Once that is clear, a strategy needs to be
                                                      TO BE AN
built and put in place. This includes conducting
simulations, a plan for internal responsibility
                                                                 E AT
and management during the breach, and
the curation of a wide-range of pre-written          ALL LEVELS          People
collateral. These will range from social media                    THAT
posts, marketing campaigns, press releases           DESPITE AL          The human aspect of managing
and general proactive PR outreach, and quotes                   L THE    an unpredictable data breach within
or testimonials for key spokespeople. These          PREPARATI           a company is paramount to the success
are all of equal importance and none can work                  ON        of recovery.
in isolation; only a holistic and wide-reaching     AND PLANN            First and foremost, there needs to be
communications strategy will be effective.
                                                                ING      an acceptance at all levels that despite all the
                                                    IN THE WOR           preparation and planning in the world, you may
                                                                LD,      still be targeted and suffer from a cyber attack.
                                                   YOU MAY ST            No one is invincible or impervious.
                                                               ILL BE
                                                   TARGETED              Second, clear planning needs to take
                                                                         place with a broad range of stakeholders.
                                                                         This includes the CEO, CMO, Head of
                                                                         Communications, and beyond. Key decision
                                                                         makers should plan a strategy in advance,
                                                                         matching responsibilities to those who can
                                                                         take action, and outlining how these plans
                                                                         compliment the wider communication strategy.
                                                                         This ensures a brand’s reputation and values
                                                                         are upheld and that consistent messages are
                                                                         delivered across channels.
On 25 March 2018, 150 million MyFitnessPal
customers had their accounts hacked and
personal details stolen in a cyber attack on
the sports giant - usernames, email addresses,
and passwords were compromised. The parent
company, Under Armour, stated that they
became aware that “an unauthorized party
acquired data associated with MyFitnessPal
user accounts” in February 2018, a month
before the public announcement. [3]

MyFitnessPal are a prime example of inadequate
preparation, despite their initial seemingly
adequate response. They not only failed
to notice that their systems had been hacked
for an entire month, but they had neglected
to prepare or implement a plan for how to
effectively deal with a cyber attack. They didn’t
have a way to ensure that their customer’s data
would be protected post-data breach.

This has come to a head, as it has recently
become apparent that some of the hacked
data has become available to purchase on the
Dark Web a year after the data breach. [4] In a
report from The Register, the hacked data from
MyFitnessPal is on sale, alongside credentials
from 15 other websites and apps, for less than
$20,000 in Bitcoin. [5]

Despite minor encryption of passwords and
MyFitnessPal’s instruction to its customers to
change their passwords, the selling of these
details could cause issues for people who
reuse passwords across multiple websites.
The ramifications of the MyFitnessPal data
breach aren’t as far reaching as others,
however the sheer scale of the cyber attack
and the continuing problems that are arising
display an internal lack of forward planning.
Control and Contain

As you work to control and contain an
unpredictable cyber attack, there needs
to be an admission of clear liability and
acknowledgement of responsibility from
                                                 important messages aren’t missed and
                                                 the organisation is responding in a timely
                                                 fashion. This is as much the case with the
                                                 acknowledgement of liability from the
media-facing spokespeople. Saying sorry,         company’s spokesperson/people, as it is
and knowing when it’s appropriate to say it,     with messaging on social media channels          zone to your company’s HQ, there needs to
is incredibly important. And as enquiries and    and the website.                                 be a backup plan. Having a contingency
press coverage increase during incidents,                                                         plan for when your workforce goes home
it’s important to move away from solely          As such, you need to have tight control          for the day should not be overlooked:
reactive action and be seen to be proactive.     over your communications channels.               organise employees to take shifts, provide
                                                 This includes stopping scheduled                 on-the-go resources so employees can continue
                                                 communications in the form of press              to work at home, or bring in outside support.
SAYING SORRY                                     releases and marketing campaigns,
                                                 and making sure multiple people have             Another aspect of the control and containment
AND KNOWING                                      access to the businesses’ social media
                                                                                                  period of managing an unpredictable cyber
                                                                                                  attack is the ability of your website to handle
                                                                                                  a dramatic spike in traffic. Websites often
WHEN IT’S                                        When communicating messages during
                                                 a data breach, it’s important to consider
                                                                                                  see a rise in visits once a data breach has
                                                                                                  been announced publicly and reported in the
APPROPRIATE                                      your audiences, the social media channels
                                                 they use, the type of content they respond
                                                                                                  press, as members of the public look to official
                                                                                                  channels for answers. Ensure all information is    “REMEMBER
                                                 to, and what they will be expecting in this      up-to-date by setting aside a plan of action to
TO SAY IT, IS                                    situation. Maximising your reach in this way
                                                 will encourage engagement and awareness;
                                                                                                  bring in more resources. Factoring in time for
                                                                                                  training and providing additional equipment        THE 3 RS -
INCREDIBLY                                       whilst connecting with your audience in a
                                                 professional and reassuring manner will
                                                                                                  is useful.
                                                 help contain the fallout of the data breach.     In the same vein as providing adequate
IMPORTANT.                                       It’s important to be aware and mindful of the
                                                 feelings of customers that have been directly
                                                                                                  resources, technical competence within the
                                                                                                  business or a detailed plan for outsourcing        REGRET AND
                                                 impacted by the data breach.                     technical support needs to be in place.
As Jon Sellors, Head of Corporate Comms
at LV=, says you should “Remember the 3 Rs -     It’s also key to consider time-zones and out
                                                                                                  Recovering quickly, with as little reputational
                                                                                                  damage as possible, is unlikely if you don’t
recognise, regret and resolve.”                  of hours support as the flurry of activity and   have the fundamental technical competence          JON SELLORS,
                                                 messages won’t stop when your standard           to fix what led to the data breach in the first
When in the midst of a data breach clear lines   operating hours end. And if a crisis begins      place and to implement a multi-channel PR
                                                                                                                                                     HEAD OF CORPORATE
of communication are crucial to ensuring         out of hours, or surfaces in a different time-   and communications strategy.                       COMMS, LV=


                Staying informed during any kind of crisis,         As previously mentioned, it’s important to be truly
                but especially during a public data breach,         global with your cyber resilience plan and media
                is essential. Knowing who is talking about          monitoring during a data breach. With cyber
                you, the press you’re receiving, and the            attacks hitting companies globally, out of hours,
                sentiment of that press, can make all the           in a different time zone to HQ, or focused on a
                difference in the outcome of your                   specific regional part of a business, the reach of
                recovery process.                                   your media monitoring needs to extend beyond
                                                                    English language news sources.
                Utilising a media monitoring and reputation
                management platform, such as Signal A.I.,           The Signal A.I. platform accurately categorises,
                can automate the monitoring process and             translates and extracts intelligence from over
                allow you to respond to media coverage in           three million media sources a day and surfaces
                real-time - a must in the modern 24-hour news       the relevant information in real-time. You should
                cycle. The Signal A.I. platform mirrors the         invest in a media monitoring tool that provides
                established workflow of a business, automating      you with an invaluable global outlook and head
                media monitoring, reporting and analysis, to free   start when dealing with media fallout during and
                up time for key stakeholders and spokespeople       after a breach.
                to focus on making informed decisions in the
                cyber attack recovery process.
A great example of efficient and effective
control and containment of a data breach is
the 2011 cyber attack on SONY’s PlayStation
Network. The data breach is viewed as the
worst to hit the gaming community of all-time.
It impacted 77 million PlayStation Network
accounts, and out of these accounts 12 million
had unencrypted credit card numbers. Hackers
gained access to full names, passwords,
e-mails, home addresses, purchase history,
credit card numbers, and PSN/Qriocity
logins and passwords.

The data breach hit SONY hard, with the
website down for a month and estimated
losses of $171 million. Despite the financial
ramifications of this incident, it serves as a
great example of corporate responsibility -
knowing how and when to say sorry.

Like many companies that experience a data
breach and the inevitable backlash that comes
from it, SONY’s approach wasn’t without faults
and imperfections. However, they knew when
to take responsibility as a company, how to
apologise, and which spokespeople had to
take public liability. In a move that helped to
save them from further reputational damage,
SONY’s president and two senior executives
stepped-up as media facing spokespeople to
apologise publicly and accept liability for the
data breach. [6]
Once the dust has settled and media                 Communicate
coverage has slowed, it’s time to learn from the                                                        YOU NEED TO
experience, evolve so it is less likely to happen   There also needs to be continuing and clear,
again, and understand why it happened to you
in the first place.
                                                    key messaging about the breach in the
                                                    aftermath. Companies’ need to proactively
                                                                                                        ASSESS WHAT YOU
                                                    provide information on any ongoing
Learn and Evolve                                    investigations, the results of these, and further   CAN DO TO CHANGE
                                                    actions they are taking to ensure the data
There isn’t a definitive step-by-step process
to follow in the aftermath of a data breach.
                                                    they hold is more secure.
                                                                                                        THE REPUTATION &
But once you’ve managed to withstand the            With the implementation of GDPR in Europe
initial cyber attack, you need to go back           and other data protection laws across the           PUBLIC PERCEPTION
to the drawing board with the rare opportunity      globe, including the US Federal Trade
to shape and improve your processes. All of
the following need to happen simultaneously
                                                    Commission Act, consumers are more acutely
                                                    aware of their rights. They have a better and
                                                                                                        OF YOUR COMPANY.
for a business to truly come out of a serious       more informed understanding of how data
data breach the better for it.                      protection and security works, the value of         Understand
                                                    their information, and the consequences for
You need to re-prep and plan for next time.         businesses that do not comply. As a result,         In tandem with the above actions, as a business
And don’t be complacent as there may very           it’s absolutely necessary for you to not shy        you need to define why you were the target for
well be a next time. This involves evaluating       away from it, the press and your customers          a cyber attack. This can be for a multitude of
what in your current strategy to manage an          certainly won’t.                                    reasons, but defining why you were targeted
unpredictable cyber attack did and didn’t work.                                                         will be invaluable information to possess in the
                                                                                                        learning and re-planning process. And again, it is
You need to question everything the business
did in reaction. Did you monitor the media
                                                    THERE NEEDS TO                                      an opportunity to realign and direct the company
                                                                                                        in a different direction.
being produced about you adequately enough
to provide real-time, useful updates? Can
                                                    BE CONTINUING                                       Businesses are either randomly targeted or
you confidently claim that you effectively                                                              chosen due to obvious (to cyber attackers)
contained the damage through both reactive
and proactive measures? Was your messaging
                                                    & CLEAR KEY                                         security flaws or for reputational reasons. In the
                                                                                                        case of Ahsley Madison, the extra-marital dating
                                                                                                        site, it’s no surprise that it was reputation driven.
about the data breach clear and informed?
An outside mediator, moderator, or security
                                                    MESSAGING ABOUT                                     If you determine that you were targeted because
provider may be necessary for this process as                                                           of the latter, you need to assess what you can do
objectivity is hard to maintain.                    THE BREACH IN                                       to change your reputation and public perception
                                                                                                        of your company.

                                                    THE AFTERMATH.
Reputation is everything, especially when        and chief technology officer of the company
yours attracts “vigilante” hacking groups.       in April 2017, made a point to publicise the
                                                 security measures they implemented following
Ashley Madison, or The Ashley Madison            the breach: two factor authentication, a bug
Agency under the parent company Ruby Corp,       bounty program, adherence to the NIST
suffered a massive security breach in 2015       cybersecurity standards, a no-third party policy
that exposed over 300 GB of user data. This      when it comes to user’s information, and
included users’ real names, banking data,        new chief information and security officers.
credit card transactions, and secret sexual      “Security and discretion” were described
fantasies.                                       among Buell’s key focuses for 2018.

The vigilante hacking group, ‘The Impact
Team’, demanded a ransom for Ashley
Madison’s user’s data, as a punishment for the
company not keeping the data secure. This
                                                 “ASHLEY’S CORE
wasn’t paid and the ramifications of the data
breach were far reaching, impacting both the
business and its users, leading to numerous
“[r]esignations, divorces and suicides.” [7]     IS DISCRETION.”
According to the Federal Trade Commission        RUBEN BUELL,
(FTC) complaint post-hack, Ashley Madison        FORMER PRESIDENT & CTO,
“had no written information security policy,
no reasonable access controls, inadequate        RUBY (ASHLEY MADISON)
security training of employees, no knowledge
of whether third-party service providers were    This seems to have worked; by gradually
using reasonable security measures, and          rebuilding their reputation and focussing
no measures to monitor the effectiveness         their efforts on regaining public trust they are
of their system security.” [7] Part of the FTC   reported to have “191,000 daily active users
settlement required that the company add         (defined as members who have exchanged
“a comprehensive data-security program,          messages) and 1.4 million new connections
including third-party assessments.”              made each month.” [8]

In the years since the cyber attack, Ashley      Whether you agree with the platform or
Madison have been quietly recuperating and       not, their bounceback after the data breach
evolving. They have by no means done a           and subsequent success says a lot for their
perfect job at post-breach recovery, but the     recovery and evolution.
intention is there. They have defined, and now
understand, why they were a target - both
reputational and ease of access. Importantly,
they have put the groundwork in to repair
their damaged business.

In a major change, Ashley Madison have
realigned their central message. They
now exist to help those in loveless/sexless
marriages, those going through divorce and
illness. Ruben Buell, who became president
If handled incorrectly data breaches can
break a company financially, irreparably
damage reputation, or have devastating
consequences for customers. And they
can happen to any business. Curating and          Bibliography
implementing a communications and PR              [1] British Airways faces record £183m fine for data breach, BBC News (8 July 2019).
strategy for managing an unpredictable            [2] Cyber Crisis Management Plan for countering cyber attacks and cyber terrorism, The Chartered Institute of
cyber attack is paramount for a businesses’       Procurement & Supply (CIPS), 2018.
survival of, and recovery from, a data breach.    [3] MyFitnessPal: Notice of Data Breach, MyFitnessPal (29 March 2018).
                                                  [4] Hacked MyFitnessPal Data Goes on Sale on the Dark Web—One Year After the Breach, Fortune (14 February 2019).
                                                  [5] 620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts, The Register (11
By doing what you can to ensure cyber             February 2019).
resilience through adequately anticipating,       [6] Sony bosses apologise over theft of data from PlayStation Network, The Guardian (1 May 2011).
stoically withstanding, efficiently containing,   [7] Life after the Ashley Madison affair, The Guardian (28 February 2016).
effectively recovering, and evolving with         [8] Ashley Madison attempts to regain the public’s trust, (29 March 2018).
humility, brands can safeguard themselves.
And ultimately, and fundamentally more
importantly, businesses can protect their
customer’s data.
Signal is the A.I. powered media monitoring
  platform delivering strategic insights that
  help you make the best possible decisions.

For more information email
or call us on +44 (0) 20 3828 8200 (UK and rest of world)
or +1 917 398 5931 (US).
You can also read
NEXT SLIDES ... Cancel