Data breaches are inevitable. Most breaches are as a result of cock up, rather than conspiracy. Blaming hoards of Russian teenage hackers for your data breach woes is an easy option, but when your breach is the result of multiple layers of silliness, you’ll need to have a plan to make sure you deal with it a way that minimises the damage to your customers, and maybe even turns them into an advocate of your business.
The Ticketmaster breach is a masterclass in how a data incident can hurt or enhance your business.
There were three key players involved in the breach. Ticketmaster themselves, their data processor, Inbenta, and the Digital Bank, Monzo who detected the breach.
Ticketmaster’s public facing response was to send out an email to their customers, explaining what had happened clearly. Oddly, having explained that the breach was as the result of a third party data processor, they offered an identity management service from an unnamed third party, with no information about what data would be sent over or how it would work. So much for transparency.
Inbenta approach was to say (and I paraphrase), “we amended a line of script for Ticketmaster and they used it but had they told us they were going to use it we would have advised against it.”
Monzo have a completely different story to tell. They identified an issue at the beginning of April, informed Ticketmaster, other banks and the US Secret Servce, while replacing the affected cards. It took Ticketmaster 76 days between visiting Monzo to discuss the issue to informing customers of the breach. Their impressive blog outlining the issue is here and I’ll be changing my bank account to Monzo, when I find the time to embrace some admin.
So what are the lessons? Firstly, have a plan for when the crisis occurs and road test it. Don’t leave gaping holes in the process that leave your customers thinking “WTF”. Secondly, understand who has access to your data, why they have it and what the risks are. Thirdly, be transparent. When an issue arises, be clear about what has happened and don’t fudge it.