Last week the big hullabaloo was that the UK Automobile Association was practicing to be the poster child for how NOT to handle a data breach. This week, they are turning themselves around with a public apology. You can read the AA’s apology on Graham Cluley’s (the security researcher that they threatened) site and render your own opinion, but I thought it fell just a bit short, as though through gritted teeth and clenched fist. Phrases like “We are aware of concerns”, “we have reminded customers” and “our supplier’s security safeguards in this instance fell short” sound like dodgy “not me!” protestations. Also, that customers should “consider changing their password”, instead of forcing a password reset, hold with the underlying assumption that since this wasn’t really the AA’s fault no extra work is required on their part. Additionally, there is nothing that says the AA will be making any changes in the future to prevent this from happening again, or any expression of abject embarrassment.
The apology was foretold by most in the security community, it could not be otherwise if the AA wanted to continue doing business. Troy Hunt did a nice write-up of the AA response and created what he calls The Five Stages of Data Breach Grief which includes Acceptance as the last step. He predicted that the AA would soon come to Acceptance and issue an apology and they soon did. Since true Acceptance includes understanding of the harm you have done it will also include an apology. Hunt’s five stages are obviously based on the same set of steps for grieving the loss of a loved one, but, unlike death, the accumulation of data goes on so I feel that there should be an additional step in the process, that which happens after the Acceptance.
Hunt’s Five Stages of Data Breach Grief for a company look like this:
- Denial – “There is no problem, no data has been breached”
- Anger – “Your damaging our reputation by spreading rumors”, then “Who did this? We will prosecute you!”
- Bargaining – “Listen, we’re looking into this, so can you please be patient?”, “It wasn’t really our fault, it was the sub-contractor!”
- Depression – No public statement at this stage, unless it’s about people getting fired.
- Acceptance – Public apology goes here, usually along with a plea to still be friends.
In observing how some organizations learn from their mistakes and some do not, I think there is a sixth stage after Acceptance, depending on how the public apology part goes:
- Learning and Change
If a company does not truly embrace the problems that led to the breach and make the changes in their culture to prevent them from happening again, they get stuck in the same five-stage loop; denying the problem still exists, angry because they fixed that problem “so why are you bringing this up again?”, pleading with you to just let this drop them, and wondering why you won’t believe them. This loop will continue until they truly understand their role and how they are responsible and even though they may make a public apology, true Acceptance is achieved.
Strawberrynet is a great example. You can see the denial here, here, here and still more here. There is no real apology, it is a feature, not a problem, according to them. So no Stage 6 for them.
The Harvard Business Review came out with a good article on Why Organizations Don’t Learn in 2015. There are various reasons and I think they fit pretty well into the Five Stage of Data Breach Grief.