The TalkTalk hack is the third cyber attack it has been subjected to. It looks like it was a combined Distributed Denial of Service Attack where the site is bombarded with traffic in an attempt to overload it and a specific breach of its firewalls to access company specific information with potentially four million customer accounts affected.
These attacks are frequent and now a key operational risk for all large companies. You would therefore expect TalkTalk to have clear and effective plans to deal with these events especially since its brand is still in intensive care due the poor initial implementation of its broadband deployment and having the worst complaint record after EE, both of whom are significantly worse than the rest.
But this is not the case. TalkTalk seems to have responded by mirroring the incredulity and panic of the public. It has said it is concerned and it is working hard and contacting the relevant authorities which gives the impression of a company not in control.
The complete shutdown of its website is another mark of panic. It could have switched to a pure marketing website or one without the link to sensitive data; it did not have to close the whole online business down. The fact that it is neither confirming nor denying the encryption of sensitive data puts further doubt in the mind of the media and customers.
Furthermore, it has focused on what it is doing, but customers need to be reassured and told what they need to do. It is a clear demonstration of the lack of customer empathy of TalkTalk that it is NatWest which is putting out a message – “We'd like to assure you that fraudulent activity on your account is unlikely following the #TalkTalk cyber attack” – while on the TalkTalk Help page the fact that money cannot be taken out of accounts is only mentioned as a minor point in the seventh FAQ and there is no mention of credit cards.
The truth is that it is highly unlikely that customers will suffer financial loss but likely they will receive more targeted phishing emails and communications so they still need to be very vigilant.
TalkTalk could have indicated that it will indemnify people of losses incurred by this breach of data as long as customers have taken all reasonable precautions such as not replying to phishing emails, while stating such losses to be very unlikely. But it has kept a highly defensive and passive tone in its communication with only two tweets in the last 48 hours.
This attack and the response by TalkTalk is likely to further damage the brand and its credibility, harming the business and leading to customers leaving TalkTalk. But when it comes to purchasing a mobile phone or broadband the choice is still essentially based on price and features so that is likely to be less affected.
TalkTalk needs to invest much more in its client communication and social media management if it is to succeed in the modern hyperlinked and interactive world. It has a long way to go.
Jacques de Cock is a faculty member at London School of Marketing