Whilst TalkTalk feel the full brunt of both media attention and loss of consumer confidence following the “significant and sustained cyber-attack” last week, there will be businesses thinking ‘this could have been me’ and ‘what have we got in place to protect and help us to respond to a cyber attack?’

The fall-out for businesses like TalkTalk are significant – shares in the telecoms company fell more than 12% in Monday trading – while significant damage limitation work is drawing resources away from operations. Of course they are not alone, being one of a number of high profile hacks over the last few years that includes Apple, the US Government and Sony.

As both a customer of TalkTalk and a technology consultant I have insight from both sides of the fence. I want to share my consumer perspective on TalkTalk’s communication to customers – which has been far from impressive. Here are 5 things they could have done things better:

1. Be prepared:

TalkTalk suffered a breach of security and a loss of customer data. There is no doubt this was in their scenario planning, but to a customer, the speed and accuracy of TalkTalk’s response suggests it wasn’t. The first customer communication to me about the data breach was 12.50pm on Friday October 23rd, while The Mirror broke the Cybersecurity story at 7.07am on the same day. I heard the news from the BBC.

Time is of the essence. Don’t get this wrong. It doesn’t instil confidence as a customer. If a hack has happened, reputation damage limitation is paramount. How quickly you respond will give customers confidence that you are actively managing the situation.

Plan how you will use all your digital channels – then pick the most suitable for a specific communication. I find TalkTalk’s fault and incident report system uses SMS and Web messages well but didn’t seem to be hooked into this incident.

2. Be relevant:

‘We are very sorry to tell you that on Thursday 22nd October a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following a significant and sustained cyber attack on our website on Wednesday 21st October. The investigation is ongoing, but unfortunately there is a chance that some of the following data may have been accessed.’

The TalkTalk email starts with a comment about a Metropolitan Police investigation. As a customer this doesn’t feel transparent – would TalkTalk not have written to me unless the Police were involved?

‘We are continuing to work with leading cybercrime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.’

Is the criminal investigation of prime concern to customers? Do I really care who you are working with? I really want to know about my data, not catching a criminal.

Emails are usually read from top to bottom – keep the key things at the top – the things I really need to know.

3. Be personal:

‘We are contacting all our customers straight away to let them know what has happened and we will keep you up to date as we learn more.’

The communication is impersonal. Don’t say ‘we are writing to customers’ in an email to customers! I want to feel that I am not just part of your corporate machine. That they really do care, and that this email not just some routine corporate communication. How about “I am writing to you” – that’s how most letters refer to me.

Make it about your customers. Speak to them. Digital channels enable high levels of personalisation – so tailor the responses on specifics of the incident and the customer as soon as you can.

4. Be accurate:

‘We have taken all necessary measures to make our website secure again following the attack.’

I hate to be picky, but this is a bold and false claim (“all the necessary measures”) – are they are saying their site is now impenetrable? Or perhaps just the measures necessary to satisfy the Metropolitan Police? Again, there is a strong suggestion that this email was drafted in the moment and without the right Information Assurance (“Cyber Security” involvement). Did TalkTalk’s Head of Security, appointed in June or BAe Systems experts approve that comment?

Do get a relevant expert to review pre-planned communication. Do say that you are doing ‘everything we can’. If possible, say what.

5. Be helpful:

‘If you are contacted by anyone asking you for personal data or passwords (such as for your bank account), please take all steps to check the true identity of the organisation.’

This is fine advice, but better advice is needed. Asking customers to ‘take all steps’ is inadequate – what are they? If customers are suspicious of a caller, then ask for their name or for a reference number and offer to call them on a published company number.

Most customers’ approach is to ‘sense check’ the caller by seeing what they know, but TalkTalk have already told me that a bogus caller may have 7 critical items of information about me:

  1. Names
  2. Addresses
  3. Date of birth
  4. Phone numbers
  5. Email addresses
  6. TalkTalk account information
  7. Credit card details and/or bank details

If they knew all of this – that could be pretty convincing?

Digital channels can so easily be used to help people help themselves. Point to reliable sources of help about taking cold calls and so called ‘Social Engineering’. There is lots of help out there so make sure your customers are supported and informed.

I was given specific advice on what to do:

‘Change the password for your TalkTalk account and any other accounts that use the same password.’

Sadly this was wrong! The TalkTalk account website said I couldn’t do this – even 3 days later. Maintaining information currency and accuracy is critical to customer confidence since the situation is dynamic. TalkTalk need to learn to use their channels.

Do say: ‘go to our website for the latest advice on changing your password’. Keeping live digital channels up-to-date is critical. The same is true for your customer service channels. These should all be used as a support mechanism. Use the opportunities for customers to feel like the service they received in the crisis was second to none.

Hackers by nature will always be looking to stay one step ahead. This was the third hack in a year for TalkTalk alone. In their own words:

‘Increasingly hostile and sophisticated methods to target companies that do business online are used.’ And ‘Unfortunately these criminals are very smart and their attacks are becoming ever more sophisticated.’

It now appears that a 15-year-old is linked to the investigation, showing potentially how unsophisticated the criminal element might be.

If you can’t guarantee 100% safety of your customer’s data, you need to be prepared with a programme of damage limitation and focused customer support, then system recovery.

A rigorous response plan should be part of any business’s overall data security strategy. This response should be one that places your customer experience at the centre and uses the best in digital channels to do that. Your ability to respond sympathetically, accurately and timely is paramount to success and failure.

No excuses .. next time?

Digital Works Consulting

Need advice or help with your security strategy and cyber responses? At Digital Works Group we have multidisciplinary teams that bridge technology, marketing and customer experience, who can help you:

  • Communicate complex technical issues such as cyber security.
  • Create effective communication strategies to build and use digital channels effectively.
  • Optimise your end-to-end multi-channel customer experience.
Clare Carroll
Latest posts by Clare Carroll (see all)