When a chief executive steps up to communicate bad news, we expect them to do so confidently and openly – putting the interests of customers first and demonstrating that they are willing to take ownership of the problem and not shirk their responsibilities. In this sense, Baroness Dido Harding, the chief executive of TalkTalk, put up a strong front in the days following the cyberattack on the company’s website, which compromised sensitive customer data. But has she done enough?
There is no doubt that, in this instance, the right person was fielded to handle the corporate communications. A data security breach on this scale warrants nothing less than a CEO. And to some extent she has been following the crisis PR rule book to the letter by speaking to the media in a timely way to express concern about what has happened and to explain what action is being taken. Early interviews also contained some advice for customers – suggesting that they contact Action Fraud if they notice any unusual account activity and advice to change their TalkTalk password and other account passwords if the same one is being used elsewhere.
However, questions have been raised about how quickly the firm responded to the crisis. Harding has said that news of the attack was communicated to the public within around 36 hours. Some customer interviews have suggested that the cyberattack may have started over a week earlier – so why did it take so long for the company to realise what was happening?
Having been on the receiving end of two other cyberattacks in the last 12 months, shouldn’t TalkTalk have spotted what was happening immediately and reported the risks to its customers there and then?
If it is subsequently found that the company didn’t react as quickly as stated in its early statements, this would be extremely damaging to the company’s reputation.
While her honest and open communications style is refreshing and should be applauded, there have been times over the last week when Harding’s messages came across as naïve. When asked in an early interview if she knew whether the affected customer data was encrypted or not, she said: “The awful truth is that I don’t know”. The company’s share price plummeted in response.
She scored another PR own goal when she related the attack to herself saying: “I’m a customer myself of TalkTalk, I’ve been a victim of this attack”. She may well have been affected by the crisis, but from the customers’ perspective, she is also responsible for it.
The issue of termination fees has also been mismanaged. Initially, Harding took an inflexible line when she declined to waive termination fees for customers that wished to close their accounts. Since then, the company has agreed to waive the fees for customers who have had money stolen from them. Regardless of the real motivation for this latest announcement, its timing suggests it was a result of public pressure rather than a proactive desire to do the right thing for customers.
Facing calls for her resignation, Harding will need to stick to her open and honest communication style in the weeks ahead and demonstrate a clear commitment to doing everything possible to protect customer data in the future.