TalkTalk – customer communication in a crisis
TalkTalk is a TV, broadband, mobile and phone provider to the retail market with a separate business division providing voice and data services, mainly to smaller and medium-sized business. Based in London, it has focus on innovation and value for money. It has a market share of some 20% of the UK market and posted total sales of £1.8bn in the year to March 2015. TalkTalk employs 2,232 people.
On October 21, 2015, TalkTalk suffered a cyber-attack accompanied by a demand for ransom. The perpetrators had stolen data that executives thought could compromise the security of the customers, but the company had initially no idea of the extent of the hit. Out of the blue, it found itself facing an existential crisis.
The first and most important decision it took was to own up to what had happened even at the risk customers would panic unnecessarily. This decision was by no means automatic. According to a survey by the Institute of Directors conducted in December 2015, only 28% of data breaches are reported. Many companies, it seems, prefer to keep quiet and pay up. There was no legal requirement to make a public statement, although this could change soon with new European regulation on data protection which will give individuals the right to know their data has been stolen. Moreover the strong advice of the police was not to make a statement as this would make it harder to track the perpetrators down.
In the end, according to Baroness Dido Harding, TalkTalk CEO, the clinching factor was the overwhelming desire to look after customers. The risk of the hackers stealing money direct from their accounts appeared quite small. The risk of their becoming vulnerable to phishing attacks based on the partial information that had been taken was large. The primary objective, Harding says, was therefore to warn them of this heightened risk and thereby help customers keep themselves safe.
Nonetheless it was a risky course, even though the police eventually accepted the rationale for the decision and praised the company for its response. At that early stage the company could say little to reassure its customers, because it simply did not know the extent of the damage. Its promise to contact them individually spawned media complaints from people claiming they had not done so. The media started to investigate TalkTalk’s previous record, accusing it of paying too little attention to security and failing to encrypt key data.
Harding rebuts suggestions TalkTalk had a poor security record. Encryption, for example, is not necessarily appropriate for credit card details, since there is a risk that hackers can steal the key used for decoding them. TalkTalk uses a different technique called obfuscation which means that it does not store complete credit card numbers anywhere on its website. Harding acknowledges, however, that the company could have explained this better.
Getting the message out was quite a battle. Reporting in large tracts of the tabloid press tended to inflame the situation. Broadcast and digital media were better because they enabled her to talk directly to the public. The message was simple and repeated. Beside emphasising how seriously the company was taking the situation and the efforts it was making to repair the damage, there was relentless focus on customer safety, including arrangements for them to arrange free credit reference monitoring.
By October 27, less than a week after the attack, the company was able to confirm that the stolen data was insufficient on its own for the perpetrators to take money from customers’ bank accounts while the police said they had arrested a suspect in connection with the case. Customers began to relax. Four others were subsequently arrested.
Subsequently the company sought to rebuild customer trust and engagement by offering a free unconditional upgrade. Even though their trust had been shaken the majority of customers, when polled, thought the company had done a good job in handling the situation. By January, Harding says the business was trading normally, although the company has estimated that the trading impact of the incident was £15m and exceptional costs are in a range of £40-£45m.
Another imperative was communication with staff and the maintenance of morale. At the height of the crisis Harding wrote a blog twice a day to staff, instead of the normal once a week. If anything, the aftermath of the crisis was more difficult internally than the actual event when people were pulling together. Employees took a different length of time to adjust back to normality. There was a natural tension between those who had not been involved – the business to business part of the company was completely unaffected - and those who had been working continuously to deal with the crisis. The latter still needed to come down from their adrenalin highs. Helping bring that about was an important leadership task.
Beyond that Harding says the crisis exposed a need for cultural change. The average age of TalkTalk’s staff is 33. They are operating in a fast moving world and focused on constant change. Harding likens the previous culture to a football team of talented 11-year olds who follow the ball closely but have not learned to pass to each other as a team. Team spirit and fewer silos will be given greater emphasis in future.
As to the board, it has become much more aware of the risks and is starting to ask questions in a different way. The issue is not so much whether the company is safe as that can never be guaranteed, but more about the nature of the risks the company is taking and how well they are mitigated. The company already had a high level of technical expertise on its board, but directors with less technical knowledge have learned to ask more basic questions.
Harding herself has no regrets about the decision to be open. The company had to trust its customers not to overreact, and they had to trust the company to do its best to look after their interests. The alternative of giving in to blackmail is not one to be contemplated, she says. The digital world simply must not become an ungoverned space. The experience has confirmed her view that disclosure of such attacks should become mandatory.