Poor crisis communication

Photo by author

It is not my habit to blog about the same topic two weeks in a row. But this time, they really asked for it.

Yes, I'm talking about the data theft at Odido again. Last week I wrote that the press mainly portrayed Odido as a victim: they were hacked, so they must be pitied. But they weren't ‘hardcore hacked’ at all: the criminals got in through phishing combined with other forms of social engineering. They simply walked through the front door and downloaded all that data. That victim narrative is becoming less and less tenable, and the press has now picked up on that as well. Odido is facing increasing scrutiny.

The company is in crisis, and that requires solid communication. So how are they doing on that front? Well, not great. Let me be clear: I’m not an expert in crisis communication. A teammate of mine is – he completed a training program in crisis management and crisis communication. Do you know the first thing he said when I asked him about the essence of good crisis communication? Openness and transparency. Followed by speed, honesty, and taking initiative.

Earlier this week I spoke with people from various organizations. What I heard was not encouraging. One company had been told that only the data of administrators with an account on Odido’s business portal had been affected. But shortly after, employees began complaining, and it turned out that the data of several thousand employees had been leaked. People also grumbled about the very poor and sometimes simply incorrect information coming from the telecom company.

On February 13, I received an email from Odido stating that my data, as a former customer, had been leaked. I was a T-Mobile customer until 2019, the predecessor of Odido. The company wrote: ‘Odido retains – according to our privacy statement – your contact details for up to 2 years after termination of the contract and switching to another provider. Because you switched less than 2 years ago, your details were still in the system, and that is why you received this email.’ A quick calculation shows that something doesn’t add up.

The same email also stated: ‘What has not been leaked: Identification data: number and validity of your passport or driver's license.’ However, on the company’s information page – which is still difficult to find – it does state that this information has been leaked. But apparently that wasn’t important enough to send a follow-up email.

On March 1, haveibeenpwned.com notified me that my data had been leaked via Odido, and three days later my VPN provider sent a similar notification. They had even more information: through their Dark Web Monitor they could specify precisely which data had been leaked. This included the number of an ID card – the card shown here – which was valid until 2016. I had missed Odido’s email because it was sent to an account I rarely check; I only just found it. You can imagine my shock that such an old ID card surfaced while (I believed) Odido had not informed me at all. It shows at the very least that Odido does not comply with its own privacy statement. Let alone the GDPR, which explicitly states that personal data must not be retained longer than necessary. Holding data belonging to someone who was a customer of their legal predecessor seven years ago is absurd.

My knowledgeable colleague said that good communication can actually strengthen your position during a crisis, by showing honesty and integrity. These qualities are in short supply at Odido. What doesn’t help is that the company’s spokesperson badly mispronounced ‘cybercriminals’ in an interview with the Dutch public broadcaster NOS. That level of cluelessness and lack of interest is downright embarrassing. My colleague also noted (thanks, Rico) that it is far more effective to present yourself not as a victim, but as a problem-solver. I’m seeing very little of that so far. Their communication about not paying the ransom – which is a defensible choice – comes down to three sentences on that hard-to-find information page: ‘We have made a careful assessment. Leading experts and government bodies have urgently advised us not to engage with this criminal group. This advice is based on extensive experience with this specific group.’ There is no trace of empathy toward customers. Again, I don’t need them to pay, but I do expect them to clearly explain why they are not paying.

The day before yesterday, I wanted to ask my bank something. The first question their chatbot asked me was: ‘Are you chatting with us because of the recent cyberattack at Odido?’ The chatbot explained that my bank account was safe and provided additional information about data breaches in general. Now that is smart communication.

 

And in the big bad world…

• The FBI has been hacked.
• AI hallucinates when translating Wikipedia articles.
• South Korea’s tax authority accidentally included the password of a seized crypto wallet in a photo – to make it stand out more.
• Hacked traffic cameras helped track down the ayatollah.
• AI can surprisingly accurately identify who is behind a pseudonym.
• AI can also be very mean.
• Your car’s tire-pressure sensors can reveal your location.
• The EU has once again pushed chat control off the table.
• This blogger also links everyday life to security.