Last week, the world learned of major security breaches at three high-profile, online companies. Millions of LinkedIn and eHarmony members’ encrypted passwords were posted publicly on a Russian hacker website. Last.fm confirmed that it was investigating a serious security breach of its own.
In this article, we’ll take a closer look at how these companies reacted to these events, and the public fallout that followed. We’ll also take a look at how Sony responded to similar security breaches in 2011 when its customers’ sensitive information was compromised.
Armed with examples of what worked and what didn’t for these companies, you’ll have a better idea of how to react and calm your customers should your business ever get hacked.
How Big Brands Responded to Hacks
On June 6, 2012, LinkedIn publicly responded to a possible security breach of its members’ password information in the form of a tweet (pictured above). Even as news websites issued warnings for members to change their LinkedIn passwords immediately, LinkedIn issued a blog post stating that it was “still unable to confirm that any security breach has occurred.”
The article confirmed an ongoing investigation into the matter, and offered some general best practices around changing or creating a strong password. However, this initial reaction from LinkedIn seemed to lack a sense of urgency or match the gravity of the situation that was unfolding around it. It wasn’t until later that day that LinkedIn’s Director, Vicente Silveira, issued a confirmation and an apology that “passwords were compromised.”
That same day, online dating service eHarmomy tweeted that it was investigating a possible security breach as well. Later, on its blog, it reported that “after investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected.”
Similarly, on June 7, Last.fm tweeted its follwers that it was investigating a security breach with its members’ passwords. It swiftly posted a recommendation and instructions on its website for members to change their passwords as a “precautionary measure.” One day later, an update on its blog confirmed that Last.fm “implemented a number of key security changes around its user data” to protect and secure its members’ private information.
In each of these cases, the companies took some time before publicly acknowledging that any security violations had taken place. They avoided alarmist language and provided additional information and steps for their members to take. But was this approach enough to mitigate damage to the respective brands?
Public Reaction and Fallout
In the case of LinkedIn, the public reaction ranged from ridicule to outrage. Some members took to Twitter to poke fun at the service (as in the image above). Professional online security experts suggested that LinkedIn may not have been following industry standards for encryption and questioned why a company the size of LinkedIn does not have a chief information officer or chief information security officer on staff.
Judging from its Twitter feed, and searches for mentions of its brand online, eHarmony appears to have emerged from this crisis relatively unscathed. This is a little surprising, given that account information on a dating site is, by nature, extremely sensitive.
As for Last.fm, rumors began to emerge that its latest security attacks had actually begun months ago and that the company had just detected the incursions now. Angry comments on its blog reiterate this concern and frustrated members suggest that better encryption standards should have been put in place long ago.
Each of these three companies have independently acknowledged that they’ve changed their encryption and data security standards as a result of these hacks. It remains to be seen what impact these attacks, or the countermeasures employed to prevent them, will have on members’ confidence in the services, going forward.
How Sony Handled Its Security Breaches
In April of 2011, a similar data breach happened to the consumer electronics behemoth, Sony. Over 25 million users of Sony’s Online Entertainment gaming service were affected. At that time, Sony came under fire for waiting over a week to tell its customers about the data breach. A class action suit was filed against Sony in that case.
In October of the same year, Sony was hacked again. This time, it informed its customers immediately and took steps to remedy the problem right away. Blog coverage at the time quotes Sony customers as having a markedly different reaction to this infraction, citing comments like “Thanks for the heads up Sony,” and “Awesome catch” from affected customers.
Takeaways for Your Business
Immediate and global access to information has its benefits and its drawbacks. Based on the examples above, it would appear that an open and immediate response is the best way to mitigate the damage of a corporate hacking event.
But don’t wait until a security breach happens to find out how your business will react. Formulate an action plan now — including an audit of your existing security infrastructure — to make sure you’re doing everything you can to avoid problems before they begin.
If you’re unfortunate enough to be the victim of a hacking attack, learn from those who have already been through it. Mitigate the damage by reassuring your customers that you’ll rectify the problem immediately, and thoroughly.
Were you affected by any of these security breaches? How do you think the companies involved handled the crises? Share your thoughts in the comments below.