Learning from Roku’s Breach Communication Shortcomings

Roku platform on tv screen with remote.

In April, the streaming platform Roku posted a message to its 80 million customers that some of their accounts had been compromised…. twice. Filed inconspicuously on its website under Company News, Roku disclosed that hackers, through a process called “credential stuffing,” accessed almost 600,000 user accounts and, in some cases, fraudulently purchased hardware and subscriptions.

What Went Wrong

The company’s messaging didn’t inspire confidence. First, it took no responsibility for either event—no surprise given that companies rarely take responsibility for their lax security and the implications of such. Second, it didn’t detail what steps it took after the first incident. To prevent future credential stuffing, Roku said it implemented two-factor authentication, requiring users to click on a link sent to their email in order to access their account. But it didn’t explain why it waited to make the change after 15,000 accounts were impacted in the first incident and an additional 576,000 accounts in the second.

What Went Right (Sort-Of)

To Roku’s credit, it pledged to cover the financial losses of those customers who had their accounts hijacked. But as a Roku customer who has received (and written) dozens of breach notification letters over the years, I had to ask why two-factor or multi-factor authentication wasn’t required in the first place. The oversight left Roku open to not just criticism, but customer attrition, reputational harm and possibly litigation.

Learning from Roku's Missteps

In some ways, the breaches at Roku are unremarkable. These types of incidents happen so frequently, we’ve become immune to their scale. But that doesn’t mean companies can be complacent in their communication with customers, employees, partners, media and regulators. Roku serves as the latest reminder of the high stakes when a company’s response appears to fall short. Here are a few lessons others can learn from its missteps:

  1. Implement changes faster and talk about them. Customers want to know that the companies they trust with their information take that responsibility seriously. No company can completely protect itself from data breaches, but it can and should respond appropriately and communicate changes to maintain that trust.
  2. Don’t assume ignoring an obvious question will prevent people from asking it. Always assume your stakeholders are intelligent and will see through an effort to dodge or spin.
  3. Assess risks up front and develop processes for communicating during crises. Proactively planning for reputational risks and how to communicate during times of crisis makes responding easier and will result in better outcomes.
  4. Put your customers and employees first. Though it might be less expensive to refund your customers when they’re victims of fraud, implementing additional security measures to prevent fraud in the first place is the right thing to do and will reduce the reputational cost that comes with not protecting them from the outset.

So-called “breach fatigue”—the phenomenon of becoming numb to the endless data breach notification letters filling our mailboxes—is real. But the reality is that most consumers are also tired of their data being poorly protected and used to commit financial and identity fraud.

The challenge companies face in protecting customer data is one of the biggest in the information age. Those that get it right can lower customer attrition, burnish their brand, and reduce legal and regulatory risk. But those benefits will only come if companies effectively protect the data they hold and communicate transparently with their customers, especially in times of crisis.

Zach Olsen is President at Infinite Global