It’s the stuff of PR nightmares – a company embroiled in its most significant crisis, one that has wider implications in society at large, with negative press and other opinion wherever you look, watch and listen; and photos (like the one in Saturday’s Telegraph, above) presenting a carefree image of its CEO looking like he or she is thinking about anything but the crisis, its effect on stakeholder groups including employees, customers and shareholders, and how to get through it to the other side.
What’s emerging is that the personal and identifiable data of all TalkTalk’s 4 million customers may have been stolen by the hackers. That could include names, addresses, dates of birth, credit card details, bank account information, TalkTalk account log in credentials including passwords, and who knows what else (although TalkTalk has a note on its website yesterday denying much of that).
A treasure trove for identity thieves.
It’s emerging, too, that not only were TalkTalk’s databases unencrypted either in whole or part but also that this is the third such data breach – and the most serious – in less than a year.
Observing this unfolding crisis since the news first emerged publicly late in the evening UK time on Thursday October 22, I’ve noted these things in particular:
- Far too many “We don’t know” statements from the CEO in response to questions in media interviews asking about what happened and how serious it is.
- Angry customers venting on social media (especially Twitter) about lack of communication from TalkTalk.
- Reports about some customers actually having money taken out of their bank accounts without their knowledge or permission, and attributing this to the hack.
- Loads of FUD everywhere about who was behind it (Islamic jihadists, apparently) and what happens to customers who want to leave right now: penalty fees, held to contract, no you can’t, yes you can…
— ICO – Information Commissioner's Office (@ICOnews) October 23, 2015
That looks like a genuine, clear and present risk to TalkTalk, one that I believe will affect its ability to do business going forward. The share price took a big hit in the closing days of the week but has rallied over the weekend. Whatever the outcome of this crisis – and especially if it shows lack of care over customer data – the CEO may be well advised to brush up her CV.
What amazes me is how passive in its communication TalkTalk has been at a time where proactive, robust and credible leadership – actions and communication – are the requirement.
Rather than all the “We don’t know…” comments in the immediate aftermath of the public disclosure of the hack, I would have expected to hear something very strongly reassuring to customers, perhaps along the lines of this:
“No customer will suffer financial loss as a result of this hack. While we believe it unlikely there will be any financial losses, we will indemnify you if you do suffer a direct financial loss as a result of this breach of access to data as long as you have followed our advice on the steps you must take regarding security of your personal information including account details. We will keep you informed as we learn more.”
This assumes TalkTalk has issued advice to its customers on what they need to do about security. And the lawyers would need to be involved in the actual wording. But the sentiment is the thing – we care about you, dear customers, and we will do everything to safeguard you.
Four days later, I’ve neither heard nor seen or read anything like that. As trust is at the heart of what might happen next, you have to ask yourself this question: “Do I trust TalkTalk?”
Right now, that’s a hard question to answer.