Capital One’s Data Breach Highlights the Power of Prompt Communication

Data breaches occur so frequently that they can seem routine, as high tech enables hacking at an alarming rate.

There's even a Breach Level Index. The Index says 71 records are lost or stolen every second. That's 255,000 every hour, or 6.1 million daily. And the financial costs are immense. The most recent company to become a hacking victim, Capital One, estimates it will cost $100-$150 million to make things right.

An obvious takeaway: PR pros without formal plans and pre-written materials to communicate a cyber attack are living dangerously. Ditto for companies that have yet to strengthen defenses against hackers or assembled cybersecurity crisis plans.

A Hacker Might Know What's In Your Wallet

Monday evening (July 29) Capital One went public with news about its data breach. Unlike several other brands, it moved relatively quickly to make the breach announcement. The suspected hacker, Paige Thompson, a former Amazon Web Services employee, was arrested earlier that day. The nation's 10th largest bank by assets, Capital One went public with its announcement shortly after the arrest.

"We will notify affected individuals through a variety of channels," it promised. In addition, the bank said it will make "free credit monitoring and identity protection available to everyone affected."

Takeaways: Moving promptly to communicate a breach to stakeholders and the public is a best practice. Owing to their frequency, data breaches may seem routine. They are anything but. As a result, you want to communicate a breach as fast as security concerns allow. Waiting for weeks or months to communicate creates bad optics and erodes trust. And is there an industry more reliant on trust than financial services?

Matt Brown, president of the Americas and Asia-Pacific at monitoring platform Signal AI , tells us Capital One did well by its reputation despite the breach. Hacked companies need "to be proactive with media...[to manage] the narrative and perspective," he says.

Prompt communications also help in another way. Many brands say that they’ve corrected a breach, as Capital One did. Put yourself in your customer’s place—are you more likely to trust a brand that says it’s fixed the breach if said brand is telling you today about a breach that occurred weeks or months ago?

Remember how Google buried news of a data breach at Google+?  Google hid the news deep in an innocuous 1,500-word blog post. In a spurt of creative communication, Google claimed it took its time (seven months) to inform the public of the breach because it fixed the problem quickly. Really?

Perfect Knowledge Not Needed

In addition to its prompt announcement, Capital One also did a good job at communicating its news despite lacking perfect information. In its statement, Capital One said the hacker was privy to an undisclosed number of names, addresses, credit scores, credit limits, balances, and other information.

This is a calculated risk, of course. Some PR pros advocate waiting until all the damage reports are filed before communicating a breach. That can take weeks. As Equifax and others learned, it's painful to periodically need to increase the estimates of customer accounts hacked. On the other hand, Capital One was upfront. It admitted there could be more damage to come in the course of investigating this terrible incident. "The investigation is ongoing and analysis is subject to change," Capital One said. Shares of the bank were off nearly 6 at today's close, ending at 91.2.

100 Million Accounts

That, of course, leads to additional bad news.  The breach occurred months ago, in March, though it was discovered in July. It's also one of the largest to date. The hacker allegedly hacked a Capital One server and gained access to 100 million Capital One accounts, 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, according to CNN. Capital One is the largest issuer of credit cards in the U.S.

The hacker, Thompson, boasted on Slack that she'd successfully defeated Capital One. Someone read her boast and alerted Capital One. While Capital One said it's "invested heavily in cybersecurity," Thompson apparently enabled detection of the breach when she bragged about it. What would have happened if he she hadn't mouthed off?

A Lawsuit

Already, someone is suing the bank. The claim is Capital One knew of its cyber weakness.

Incidentally, Capital One and Amazon Web Services (AWS) have a strong alliance. Capital One was an early investor in AWS. In addition, AWS is the host of the bank's servers. Did Thompson's former job allow her to hack Capital One? Hopefully we'll find out soon.

Finally, Capital One also did another thing well. It placed a small note at the top of its website, directing visitors to information about the breach. Some would argue the notice is too small. On the other hand, many brands do nothing to direct visitors to information about this sort of situation.

Other negatives: the bank's announcement lacks a genuinely apologetic tone. It also uses a lot of passive voice. The language seems word smithed and awkward, as opposed to clear and authentic.

Still, Capital One moved quickly. That's a good thing for reputation. Let's hope it continues to provide information rapidly, improves its authenticity and tone and answers nagging questions about how its firewalls were breached.

Seth Arenstein is editor of PRNEWS. Follow him: @skarenstein