Breach Day: Preparing for When Hackers Steal Your Data

October 2, 2018

[john lund]
[john lund]

Experts say the question is not if your company will suffer a data breach, but when. Your risk manager and chief information officer may think they’ve implemented the right safeguards to protect sensitive information and customer data. Perhaps they’ve trained employees on the perils of opening unknown emails and writing down or reusing passwords.

But then a data breach happens anyway. Your employees report for work and find your company files have been encrypted, or they see a skull and crossbones symbol and mocking messages on their computer screens. Your help desk is overwhelmed with calls. Your intellectual property, file server or customer data might be for sale on the dark web. And then the attackers contact you, demanding your company pay ransom to unlock its data.

According to the “Mandiant M-Trends 2018 Report” from security firm FireEye, intruders are often in a company’s computer system for 100 days before making themselves known. What other damage have they caused in the meantime?

In preparing for possible data breaches, companies have to decide whether they would pay ransom to cybercriminals — and if so, by what means? Would your company use the cryptocurrency bitcoin? And what about credit monitoring to protect employee and customer data? Would you pay for those services, or just strongly recommend them to those affected?

Implementing post-breach communications

Most PR pros have cyber threats on their crisis-preparedness lists and have convinced their company leaders that doing or saying nothing are not options. As FireEye CEO Kevin Mandia puts it, “If you’re breached and you know it, somebody else knows it and it’s a footrace.”

Often, lawyers will decide whether a company should acknowledge it’s been hit by a data breach. But other pre-breach decisions must also be made. For example, who in law enforcement would you need to contact and when? Your employees and customers may already know when a breach occurs, especially if their data is being held hostage. Other possible audiences include investors, regulators and industry partners. And it won’t be long before you hear from the media.

Communications teams typically prepare holding statements, which they issue in response to media inquiries rather than proactively sending them out. Influenced by attorneys, such statements are meant to show the organization is on top of the situation.

A reporter might say: “We hear your company is the victim of a cyberattack and is being extorted. Can you confirm this?” Your initial response might be: “We can confirm that we have notified law enforcement and taken the appropriate steps to be transparent with our partners.” If your data’s been hijacked, you could add: “We are in the process of restoring services.”

Your second media response should provide more detail. “Safety is always our top priority,” it might begin. “We have notified law enforcement, taken appropriate steps to be transparent with our partners and clients, and thanked them for their patience and trust. Independent computer-forensic experts are analyzing the incident to ensure the security of our network. We will make every effort to keep [employees, customers or other groups] informed.”

At my communications firm, our media responses always include a short acknowledgement phrase and a strong headline. In response to media questions, we might simply say: “It’s not appropriate to discuss further, but I can assure you that [repeat initial statement].”

Other questions we’ve known reporters to ask after cybercrime incidents have included: “I’ve heard your company has been hacked. Can you confirm or deny this?” “Has this happened before?” “Why did you wait to announce it?” “What if the hackers return?”

In addition to such questions, reporters will likely also seek comment from experts and then ask you to respond. Some common inquiries: “Hackers are increasingly gaining access through third-party vendors who lack adequate security provisions. Have you audited your vendors to make sure they have the proper controls in place? If not, why not?” If reporters find out you’ve paid a ransom to cybercriminals, then they’ll want to know how much you paid.

Generally, attorneys counsel against answering such questions, but your media relations team or crisis communications firm should respond to reporters’ inquiries, preferably by email.

More difficult to answer are questions from employees or customers, such as: “Are you sure you’ve contained the data breach? Who’s to blame for it?” And, “If we lose money, will you reimburse us?”

It’s best not to answer such questions right away, but you can take the opportunity to enlist the help of employees or customers by saying: “If your colleagues are talking about this, please tell them we are taking the appropriate steps.”

Exploring real-life examples

My firm has counseled numerous companies in these situations. Here are three case studies of how three different organizations responded to data breaches — a hospital, a regional bank, and a large industrial company with locations in several countries.

Cybercriminals froze the hospital’s data and software applications. The organization issued a one-paragraph press release to local media, but only after 24 hours of internal debate that involved outside counsel, the hospital’s insurance company and the insurer’s attorneys. With their computers down, the hospital’s communications team carried a hard copy of the press release to a local newspaper.

They also distributed a short internal statement. Despite some employee chatter on social media, nothing went viral.

Ultimately, the hospital paid ransom to the hackers and its systems were rebooted, with no indication that any individual financial data had been compromised.

In the case of the regional bank, an employee’s carelessness had potentially placed customers’ confidential data at risk. The bank issued a one-paragraph advisory confirming the breach, which two local newspapers picked up. The bank advised customers to monitor their credit reports but did not offer to pay for the service. There was limited chatter on social media about the breach, but many employees did ask their managers questions one-on-one.

When the industrial company suffered a data breach where its data and systems were taken hostage, we drafted numerous versions of a statement but never issued one. Outside counsel advised they were not required to make the compromise public, since no evidence suggested personal financial data had been stolen. Internally, this course of action was hotly debated. Talking points were written, and over the course of 72 hours, executives and managers phoned hundreds of customers and vendors in the countries where this company operates to advise them about the breach.

Employees knew immediately what had happened, so managers met with them individually and in small groups for brief conversations. Internal security personnel worked with outside experts to determine the origin and extent of the data breach, and their findings were verbally relayed throughout the organization on a daily basis.

Like the hospital, the industrial company paid ransom to the cybercriminals. Its systems were brought back, and after about 10 days of being shut down, normal business resumed. The media never heard about the breach.

As with other crises that threaten a company’s reputation and ability to operate, cyberattacks require businesses to be prepared. Make sure your organization has strong resources and is committed to preventing, detecting and responding to such incidents.

Preparing your leadership will put your company a step ahead when — and not if — hackers breach your data.

Cyber Questions to Ponder

Following is a list of questions we’ve collected from various cyber incidents. These are not provided to encourage you to draft answers to them but rather so that your leadership and managers understand to expect them and become fluent with the concept of acknowledging the question and having a substitute response ready. As noted above, leadership and managers need to be prepared to enlist the questioner to reassure colleagues.

  • I’ve heard your company has been hacked. Can you confirm or deny this?
  • Has this happened before?
  • What if they come back?
  • Are you going to apologize?
  • What if you don’t find out who’s responsible?
  • What have you told customers?
  • When did you detect the problem?
  • Why did you wait to announce it?
  • What are you trying to cover up?
  • Will you pay for credit counseling and monitoring?
  • Does insurance cover this?
  • Is this a criminal event or terrorism or sabotage?
  • Did it come from a competitor or a hacktivist?
  • Can you guarantee it will never happen again?
  • When was the last time you tested your IR plan?
  • Do you run tabletop exercises?
  • Why didn’t you have an Incident Response Expert on retainer to investigate and contain the situation?
  • Who is your legal counsel and do they have a specialty in data breaches?
Merrie Spaeth

Merrie Spaeth was President Reagan’s director of media relations and now leads a team of communications consultants as president of Spaeth Communications, Inc., in Dallas. She is acknowledged as one of the most influential communication counselors in the world and as a thought leader in communication theory, executive training and coaching. Reach her at


No comments have been submitted yet.

Post a Comment

Editor’s Note: Please limit your comments to the specific post. We reserve the right to omit any response that is not related to the article or that may be considered objectionable.


To help us ensure that you are a real human, please type the total number of circles that appear in the following images in the box below.

(image of three circles) + (image of six circles) + (image of eight circles) =



Digital Edition