Platitudes fall flatitude at Latitude

Falling victim to a major cyber breach and having your personal details stolen by criminals is starting to feel routine to Australians.

The latest high-profile cyber victim is Latitude Financial, whose breach has - as of yesterday - become the largest-known data breach on a financial institution in Australian history, after an ongoing review revealed that 14 million people have had their data stolen, a hefty jump from the initial estimate of 328,000 people.

This news has certainly hit home at the BlueChip office where some of us are among the impact 14 million.

One of our own heard about the breach from their partner who spotted the news while scrolling through their social media feed on Thursday the 16th of March and read it aloud, knowing of BlueChip’s cyber crisis management practice.

What that partner didn't know was that our team member has a forgotten about and unused Latitude Mastercard.

It was 24 hours until they received an email from Latitude, at 5.33pm on Friday the 17th of March, saying, in vague terms, that yes, a certain number of customers' personal data was breached, and that those customers who were affected would be contacted directly.

It is now 12 days since Latitude announced the data breach and 11 days since the email saying, ‘Please be assured we will contact you directly if your personal information has been disclosed.’

Our team member has not been contacted since and is unable to log into their account. It’s anyone’s guess whether missed calls this week from unknown numbers were Latitude trying to contact them. Or maybe they were from criminals who now have their mobile number.

Cynically, it seems like they might have to work that out from the news as well.

Just two weeks on from this, NGS Super has suffered a cyber-attack, during which customer data was stolen. We don’t know what company might be targeted next, but what we do know for sure is that there will be a next victim. We also know how businesses communicate during a crisis can make or break them.

We have managed our fair share of crises at BlueChip Communication, whether here, or at previous employers.

Whether lives hang in the balance, or the global financial system is unstable, there is one golden rule of crisis management. That rule, no matter what you communicate, is this: the greater good comes first.

Everyone must put the well-being of clients or customers and business continuity ahead of any one individual’s needs and interests.

With that in mind, let’s look at the current situation at Latitude Financial and some of what went right and wrong from a crisis management point of view as the crisis has developed. We say current because as of publishing this article the breach is still active and the story continues to develop.

Click here to see the timeline of the key events of the crisis to date.

data-breach-header

Takeouts for financial services leaders

Notify customers at the same time as any formal announcements. No one wants to learn about anything that impacts them personally and negatively from the media so make it a priority to get an email notification out to your database with as many or as few details as you can share at that point along with next steps and resources. Customer communication templates should be ready to go in the event of a cyber crisis.
Provide clear actions and support for customers
- Equip your customers or clients as best you can to protect themselves. Most people understand that cyber-attacks happen, however what is frustrating is when clear support and advice isn’t provided. This means a reminder of basic cyber security best practices as well as any specific advice relating to this specific scenario i.e. what they can do if they believe their accounts have been hacked. This should be an existing template which can be updated and shared with customers on day one.
- Provide direct links to support and resources. Rather than asking customers to monitor your website for updates, give them an exact link to a page which has been pre-populated with basic information in the event of a cyber-attack. This should then be updated with specific information as soon as possible.
- Don’t thank customers for their imagined “patience and understanding”. Customers will be cranky (and rightly so) so feigning ignorance of that won’t win you any points. Instead, deliver a sincere apology and then swiftly move on to how you are working to resolve the problem, and what support you are providing in the meantime.
- Focus on solutions. It was good to see Latitude come out with the offer to compensate its customers for replacement identification and other documents.
Stick to your commitments. If you make commitments publicly, keep them all in a timely manner. Latitude has diligently worked through its commitments and shared regular updates via ASX announcements and the media. To bolster this, Latitude could share a timeline as part of the commitment so that its customers have greater certainty of what is happening and when. This also saves valuable resources going towards answering questions that a quick look at the website should be able to answer.
Be transparent. The truth always comes out one way or another so it’s important to be honest about the situation with your customers. The reputational repercussions of a cyber breach compacted by lies from management is far worse than a cyber breach alone as it erodes trust in the entire business versus their cyber security alone.
Ensure contactability. In an extraordinarily challenging situation, Latitude made the call to close its call centres until it had regained control following the hack to protect customers from further harm. However, this meant that customers looking for assistance could not call anyone and some also received an error message on the contact functionality website (depending on when it was accessed). Remember that your customers are in a crisis with you and even if you need to move heaven and Earth to make it happen – you need to keep the lines of communication open.
Make the hard calls. It took bold leadership to shut down Latitude’s services. It’s a move which does hurt the business, however when weighed up with its potential to save its customers from further hurt, it was one that was worth taking.
Turn marketing off. This one doesn’t require further explanation. If you’re in a cyber crisis which is exposing your customers’ data, it’s tone deaf to product-push so turn your marketing off until it’s resolved.
Prepare before the cyber crisis, not during. Latitude has been quite efficient from a communications perspective; however, it is clear from the timings that they weren’t prepared from a process point of view. This is where having clear crisis management training comes into play, each person has a role to play, understands how to operate under pressure and can immediately step into crisis mode. For teams that aren’t yet at this stage, we created our cyber crisis management training which is worth its weight in gold to the c-suite and management leaders who undertake it.