The real reputation risk after a data breach? Poor communication.

Written By Thomas Cordes

Cybercrime. Everyone has an opinion about it. And by now, almost everyone has experienced it in some form, from simple phishing attempts to highly targeted social engineering attacks. The latter happened to me as well.

Fortunately, I was personally unaffected by the recent Odido hack, in which hackers gained access to a file containing customer data of potentially 6.2 million people. But like many others, both within my company and in my personal network, I know several people who did become victims. They are now left with an uncomfortable feeling of uncertainty: what will happen to my data?

Almost a decade ago, my team and I at Omnicom worked on a cyber awareness campaign for the Dutch National Coordinator for Counterterrorism and Security (NCTV). During that project we worked closely with victims, cyber experts and ethical hackers. One lesson stood out: no one is completely safe.

If criminals specifically target you or your organisation, anyone can be vulnerable.

I experienced that firsthand. Two years ago, I became the target of a social engineering attempt. My then-CEO called me and even started a video call. Both the voice and the image had been cloned by the attackers. At the same time there was urgency and a request to transfer money.

During the first half hour, I barely questioned it. After all, you hear the voice of someone you know well.

Only when I asked a few subtle verification questions, and received irritated responses, did things start to feel off. Psychologically it’s very strange: you see and hear someone you trust. The attackers had clearly done their homework. They knew company details that made the request, even the amount involved, sound credible.

Long story short: anyone can become a victim.
Even someone who once led a national cyber awareness campaign.

Which is exactly why one thing is crucial: no shame. Share experiences. Talk about it. These types of fraud are incredibly sophisticated and designed to be as convincing as possible.

One thing that is positive in the current Odido situation: the conversation is happening. The debate is alive in society. Everyone has an opinion. Journalists are writing about it and industry nerds like me are publishing blogs and analyses.

At the same time, many customers express frustration about the communication of Odido. It remains general and vague. And that’s exactly where organisations can make the difference.

Nearly ten years ago, this was already the core message of our cyber awareness campaign. Many of those tips and best practices are fortunately now widely embraced by individuals and organisations. Also thanks to the mission-driven work of cyber experts such as my former client Dave Maasland and former colleague Erik-Jan Koedijk, who have contributed for years to raising awareness around digital security.

Which raises one lingering question: why does crisis communication still fall short in incidents like this? These risks are no longer new. Organizations know they exist — and being prepared should be the baseline.

Because when a data breach happens, people mainly want clarity: What happened?
What does it mean for me? What should I do now?

When companies communicate slowly or vaguely at that moment, it quickly creates the impression that reputation management matters more than protecting customers. And that often damages trust faster than the incident itself.

Transparency is not a risk in these situations, it’s a requirement to maintain trust.

There is a broader lesson here for organisations.

Don’t just invest in flashy brand campaigns. Also invest in the less glamorous work of corporate communication. Marketing and communication need to be in balance.

Great above-the-line campaigns but underdeveloped corporate communication simply doesn’t cut it anymore. Because that’s exactly where the difference is made when things get difficult.

A crisis, however uncomfortable and vulnerable, can also humanise an organisation. Customers can be surprisingly understanding. I recently saw this in a TV segment where Odido customers were interviewed in a store. Many people actually showed understanding that something like this can happen.

But poor communication in such a moment? That never works in your favour. It costs trust and undermines the sympathy that might still exist.

For organisations, the lesson is clear:

  • Don’t invest in branding alone

  • Invest in corporate communication as well

  • Prepare with crisis and hack simulations

  • Make sure your communication is ready before something goes wrong

The good news: most of that work can be done in advance,  just like the protocols you’ll need when things go wrong.

Whether your strategy ultimately becomes pay or don’t pay the hackers matters less than this: make sure your organisation has one clear story and clear protocols in place.

Because when the crisis hits, it’s already too late to start figuring it out.

And believe me, this isn’t rocket science. There is already a vast amount of experience, frameworks and best practices available. Experts in the field, industry partners and crisis specialists have been dealing with this for years.

In other words: the knowledge is there. The playbooks are there. The support is there.

In short: just do it. There really is no excuse anymore.

Thomas Cordes
Previous

You're asking the wrong questions on AI, pt. 1
Next

We have been imagining this future for a century. Why are we so surprised?