Our Favorite Examples of How CEOs Respond to Cyber Breaches

In the last few years we witnessed some major breaches to some very big brands, these include the huge Target breach, the TalkTalk breach, the vicious Ashley Madison hack (where people paid with their lives) and the JD Wetherspoon breach (which we uncovered late last year) to name but a few.

With every breach, we zoom in on the CEO and executive team of the company to assess their response to this colossal event in their company, an event that shakes their brand and integrity to the core. So when choosing our two favorite examples of how executives have responded to their company suffering a heavy cyber breach — what exactly are we looking for as part of our evaluation?

Here are some of the things we look for:

• Public acknowledgement – The speed and quality of their response
• Accounting for the damage caused to customers, and vouching to take every measure of damage control possible.
• Being upfront about how vulnerable their systems were and what the ongoing risks are for customers.
• Was their response part of a set plan or merely a reactive countermeasure.
• The aftermath – What was the end result of the breach in terms of churn and general public sentiment.

Example #1: Frank Blake: CEO of Home Depot during their 2014 breach

Frank Blake was Home Depot’s chief executive officer when they were hit by an ugly hack in 2014. Resulting in 56 million customer emails and credit card numbers leaking to the hands of threat actors.

The criminals involved accessed the company’s point-of-sale systems “as if they were Home Depot employees with high-level permissions”. Their malware was installed on the retail chain’s self-checkout terminals and went undetected for five months.

During the breach and following it, Blake was praised for taking full responsibility and for empowering his team to fix the problem — and keeping every and any eye on the customer’s well-being, at all times.

A key factor to keep in mind about the stickiness of Blake’s situation is that once he was informed about the breach, he had (just recently) announced his resignation. By the time he learned of the breach, Blake had already announced his chosen successor (Craig Menear), and that he himself would continue to be Chairman of the board for a few months following his resignation.

Was the September 2nd disclosure of the breach made by Brian Krebs — reporting that tens of thousands of Home Depot customer credit cards showed up for sale on rescator[dot]cc (an underground cybercrime shop) good or bad timing for the soon-to-depart CEO?

Blake was highly regarded as an “admired leader”, and earned great respect of his employees and colleagues after his “unblemished” seven-year long tenure as CEO.

While he could have made a “subtle” escape from the post-breach mayhem at Home Depot, the halfway out-the-door CEO actually put his best foot forward to support his company and his customers against the cyber heist.

Honorable Virtue: Actively Taking Ownership

“I made a lot of mistakes before this,” he says today, with characteristic modesty, “but this may have been a more visible one.” — Frank Blake, former CEO of Home Depot

Fortune magazine showed Blake his due respect quite well:

Blake took full responsibility for the breach upon learning of the event, and “empowered his team to fix the problem”.

“Within a few hours of that initial phone call, the company apologized to its customers in a statement—mercifully free of mealy-mouthed corporate jargon—on its website and assured them that they would not be liable for any fraudulent charges. “We know these types of incidents can cause frustration and concern,” the statement read, “and we apologize for that.” Five days later another apology came, this one from Blake personally.”

Blake also supported his CISO, Matt Carey, and spent a significant amount of time in the “incident response” room that was set up at Home Depot headquarters following the breach.

In response to the breach, Home Depot’s board appointed Menear to focus on day-to-day operations that were necessary to deal with the damage, while Blake was assigned to “deal with the crisis”.

Their response plan looked like this:

• Blake issued an official acknowledgement and apology for the attack on the company website, which read:

“We felt it was important to let everyone know that we’re confident there has been a breach,” the company said in the statement. “We know it’s frustrating not to have all the details, but you won’t be responsible for any fraudulent charges, and we are offering free identity protection services, including credit monitoring to any customer who used a payment card at a Home Depot store in 2014, from April on.” (PR Newsweek)

• Home Depot rented a call center that was capable of handling 50,000 calls a day.
• Within two weeks of the news, the company announced it had installed enhanced encryption systems in the U.S operations.

On a technical level, Blake was also transparent about the company’s failure to prepare itself for potential cyber threats that could have prevented the unfortunate incident:

“If we rewind the tape, our security systems could have been better,” Mr. Blake said in an interview last month. “Data security just wasn’t high enough in our mission statement.” — Wall Street Journal

Example #2: Joseph Swedish, CEO of Anthem Inc.

Possibly the most gruesome cyber attack in the healthcare industry to date, Anthem Inc. saw 80 million social security records pulled from under their rug in June 2015.

Honorable Virtue: Dedicated Honesty

One of the most commendable sides of Anthem Inc.’s reaction to their own breach was that they themselves, were the ones who discovered it.

Described by the Wall Street Journal as “close to a textbook case of effective immediate crisis management and preparedness…they weren’t extorted by the hackers or outed by the media or others.”

Anthem’s CEO, Joseph Swedish, released an official statement to his customers, communicated on the official website that the health insurance provider created as a medium to communicate incident management.

If that’s not dedicated support, then what is?

taken from: anthemfacts.com

This was the official statement released by Anthem Inc. on anthemfacts.com, the website they opened for customer support and awareness in light of the attacks.

Other content and information on the site (which is still up and running), includes the following sections:

“Individuals Impacted”; “Information Accessed”; “Identity Protection Services”; “Mailed Notification”; “Toll-Free Hotline”, and other forms of information and support services.

Above all, the website identifies exactly which types of customers were affected and allows customers to understand the likelihoods of their account(s) being attacked or not. The company did not leave ambiguity or a subtle attempt to assure customers that they weren’t endangered, yet actually were.

Follow in their Footsteps

Aside from taking on the most rigorous forms of cyber protection available to any business, the takeaways from how the CEOs of Home Depot and Anthem Inc. not only reacted and accounted for their victimised customers, but for how they attended to their needs in the aftermath, point to the importance of cyber protection and internal company awareness that CEOs must seek as a prerequisite to their risk prevention strategies.

On a Personal Note

Breaches to companies happen daily, we talk about this a lot. Cybercriminals have a far easier job than their predecessors had, we know that too. Cybersecurity is not impenetrable and there will always be holes for attackers to utilize and find their way in. However, knowing how to react when it happens or better yet, finding the “holes” before the attackers do, is key to evading the next attack or at least protecting your brand.