The Delta Airlines Security Breach: A Case Study in How to Respond to a Data Breach
Recent data breaches against Panera Bread, Delta Airlines, Sears, Saks, and Lord & Taylor highlight a lot: the need for improved web application and internet security processes, better accountability, and why cybersecurity is critical to securing the loyalty of an organization’s most valued customers.
But perhaps most importantly, it highlights how an organization should react if they do suffer a data breach and the significance of a response plan. If there was ever an example of the importance of honesty and transparency, communicating effectively with consumers after your organization has been breached is a critical one.
Take Delta Airlines as an example. In April 2018, the company announced it was informed that some of its customer’s credit card information had been compromised during online chat support provided by a third party software company called 7.ai. In response, Delta launched a custom webpage providing a complete overview of the breach (including a timeline and FAQ section), executed a customer communication plan that included education and mitigation best practices, and worked with partners and law enforcement to identify how/when the breach occurred.
Delta’s handling of the breach underscores some of the key best practices that organizations should act upon once they identify a data breach has occurred.
- Communication is key to both internal (employees, partners, suppliers, etc.) and external (customers) audiences, including direct mailing to clients, an official media release/statement, and if necessary, interviews in the appropriate press
- Be open and sincere and admit what happened and accept responsibility
- Provide details and explain how the breach occurred
- Mitigate. Provide solutions for impacted users, and if possible, prepare a special offer for the affected audience
- Educate by providing best practices on how to prevent similar issues in the future
- Invite open dialogue by involving clients, industry experts, and even the general public
All too often, consumers discover that their personal information was compromised long after the breach occurred when suspicious activity on financial accounts, e-commerce sites, etc., is noticed. This is often the result of one of two reasons. The first is because an organization doesn’t realize its sensitive data has been breached. According to various sources, it can take a company nearly 200 days to realize there’s been a data breach.
The second and far too common reason is that organizations seeking to avoid the negative connotation of being a data breach victim avoid directly or immediately announcing that a breach has occurred. However, as research suggests, the consequences of such surreptitious communication tactics can be far worse than the direct impacts of a data breach.
According to the report Consumer Sentiments: Cybersecurity, Personal Data and The Impact on Customer Loyalty, the vast majority of consumers must be convinced that the security issue has been addressed and any damage has been rectified before continuing to do business with the brand.
[You might also like: Consumer Sentiments About Cybersecurity and What It Means for Your Organization]
The impact on businesses is twofold. Whereby companies were once reticent about speaking publically about cybersecurity because it would cause consumers to question their business’s fragility, organizations must now embrace and communicate their ability to safeguard customer data. Forward-thinking organizations have the opportunity to use security and due diligence as a competitive differentiator to build trust and loyalty with customers in the face of an increasingly insecure world.
Per the aforementioned points, companies must clearly communicate that a breach has occurred, those likely impacted and planned remediation actions to address the issue. Organizations that don’t admit to compromised consumer records until long after the breach took place to suffer the greatest wrath from consumers.
In addition to increased customer attrition rates and lost revenue, that wrath increasingly includes lawsuits. Forty-one percent of executives report that customers have taken legal action against their companies following a data breach. Given the string of high-profile data breaches in recent years, consumers are becoming increasingly empowered by regional government regulations that are forcing the hands of organizations to act accordingly following a data breach. The best example of this is the General Data Protection Regulation (GDPR) that went into effect throughout the European Union in May 2018. Broadly speaking, the GDPR provides individuals with a right to an effective judicial remedy and/or compensation and liability, especially if the holder of the PII has not acted accordingly to the regulations.
Ultimately, an organization’s ability to successfully respond to a data breach is linked to its ability to view cybersecurity, not as an afterthought, but rather a strategic initiative that mitigates business risk across all mission-critical departments within the organization, not just IT. When an organization is breached, it’s not just impacting the CIO. It affects the CFO, CMO and the COO, in addition to the CEO.
In an increasingly insecure world where customer loyalty to a particular brand is tied directly to that brand’s ability to safeguard the customer’s data, the entire C-suite must be held responsible when a breach occurs to reaffirm the trust and loyalty of consumers and to mitigate the broader, more cataclysmic impact that could result if they don’t.
Read “Consumer Sentiments: Cybersecurity, Personal Data and The Impact on Customer Loyalty” to learn more.
Anna Convery-Pelletier joined Radware as the Chief Marketing officer in December 2016. As a member of the executive leadership team, she leads the global marketing organization, which consists of the corporate, product, field and channel marketing teams. Ms. Convery is responsible for the marketing strategy that shapes the future of the Radware brand while directly increasing the marketing contribution to drive revenue and increase market share.
Prior to Radware, Ms. Convery held the position of Chief Marketing Officer and Executive Vice President of Strategy for OpenSpan Inc. (now Pega Systems Inc.) for five years. Ms. Convery has more than 25 years’ experience in enterprise technology, helping FORTUNE 500 companies drive operational and financial excellence, leveraging technology innovation to deliver digital transformation and world-class customer experience. At OpenSpan, Ms. Convery’s responsibilities included global go-to-market strategy and strategic enterprise growth for the company.
Prior to OpenSpan, Ms. Convery held senior executive roles at NICE Systems Ltd., ClickFox, Inc., and Nexidia Inc., as well as global marketing and business development roles at IBM Corporation, Jacada Ltd. and Unibol Inc. Named a “Woman of the Year in Technology” by Women in Technology (WIT), Ms. Convery has received numerous industry awards and is a respected customer experience and enterprise transformation thought leader.
*** This is a Security Bloggers Network syndicated blog from Radware Blog authored by Anna Convery-Pelletier. Read the original post at: https://blog.radware.com/security/2018/10/the-delta-airlines-security-breach-a-case-study-in-how-to-respond-to-a-data-breach/