open padlock

A few months ago on this blog we raised the basic points that you should think about when confronted with a cyberattack. Unfortunately the general reaction of some companies is very different to this – here we present to you some of the worst reactions to a cyberattack:

Not reacting as quickly as expected (TRICARE)

TRICARE Management Activity is the name of the company that in October 2011 managed the healthcare of millions of members of the United States Department of Defense and military personnel. When it found out that five million of its users had their information compromised, TRICARE waited two weeks before making it public, with the excuse that it “didn’t want to cause an alarm” among its customers.

After this the company was the subject of intense criticism. What generates trust between customers is knowing about the situation quickly and that something is being done to resolve it. Stalling or delaying the announcement only serves to make the situation worse and can remove all trust that was there.

Not telling the whole story (Sony)

In April 2012, two years before Sony suffered its biggest security breach, the Japanese company was involved in another leak. In this case the credit card details of hundreds of thousands of Playstation Network users were involved. Sony reacted quickly but announced that it only affected 77,000 users. So, just when the situation appeared to be under control, it was revealed that there were a further 25,000 users affected but that they hadn’t been detected during the initial investigation.

This damaged Sony’s image and gave the impression that the company “didn’t know what it was doing”, leading to the suspicion that at any moment more negative information could arise relating to the leak. Just like in the previous case, a failed attempt at putting customers at ease had the opposite effect. For Sony, it would have been better to err on the side of caution and state that not all of the information was yet available.

Fail to implement a coherent strategy (Sony)

When, after Sony’s big leak in 2014, The Guardians of Peace (the North Korean group of hackers responsible for the attack) announced a new line of retaliations if the movie The Interview was released and shown in cinemas, the multinational decided not to release the movie.

security breach

As its security expert Bruce Schneier explained in his blog: “Pulling The Interview was exactly the wrong thing to do, as there was no credible threat and it just emboldens the hackers. But it’s the kind of response you get when you don’t have a plan. Sony’s reaction has all the markings of a company without any sort of coherent plan. Near as I can tell, every Sony executive is in full panic mode.”

A total panic is exactly what drove them to commit a host of errors. Before this public display of weakness, Sony had flaunted a totally different, and equally unwarranted, attitude towards the press. In fact, the studio opted to hire a well-known lawyer that threatened those who spoke about the leak. This is a terrible way of “shooting the messenger”.

Not having real solutions in place to fight the issues (Target)

In December 2013, after Target suffered a data theft what involved the credit card and other information belonging to over 40,000 customers, this company committed various errors – delay in informing the customers of what had happened and failed to give the correct information from the start. What’s more, Target committed an even bigger error by not having a solution to the problem.

On the one hand, it tried to win over its customers (not just those affected by the leak) by offering a free security service which consumer organizations attack for “giving a false sense of security”, as it wasn’t useful for eliminating the risk of fraud that could come from a data leak.

Furthermore, its decision making wasn’t much better when it came to solving internal issues that caused the initial leak. It’s important to point out that Target had all of the protocols and systems in place to avoid a security breach… it’s simply that its employees weren’t trained to deal with the alerts – they ignored them because they were unaware of the protocol.

Target decided, however, to react in a most bizarre way by firing the company’s CIO and announcing the creation of two new roles that dealt with security (Chief Information Security Officer and Chief Compliance Officer). The three roles remained vacant for six months following the leak.