Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Telling Customers the Bad News

    By
    Matthew Hicks
    -
    February 19, 2001
    Share
    Facebook
    Twitter
    Linkedin

      Egghead.com Inc. faced a nightmare before Christmas when, on Dec. 18, executives at the online technology retailer discovered that a hacker had accessed its computer systems. To make matters worse, within the first 24 hours they found out that the compromised systems included the databases that hold customer credit card information.

      Egghead.com CEO and President Jeff Sheahan quickly made a decision: To head off attempts at fraud, he would share the bad tidings with customers and key partners. By the end of that week, the e-tailer, of Menlo Park, Calif., had sent e-mail from Sheahan to 3.3 million past and present customers and issued a press release that prompted news stories nationwide.

      It was one of the few and most notable examples to date of a company informing customers soon after an Internet security breach. But the experiences of Egghead.com and others that have gone public about security lapses offer valuable lessons for e-businesses.

      As online consumers become more concerned about security and privacy issues and as new privacy laws go into effect, most e-businesses should decide in advance when and how to communicate with customers and business partners when a security breakdown occurs, experts say. Online businesses should be careful not to overreact by issuing public statements that could serve to expose them to more break-ins. But, experts say, in cases where customer information—whether credit card numbers, addresses or other records—is exposed, companies have a responsibility to tell their customers.

      If no customer information is compromised, or companies arent sure of the exposure, the appropriate response is murkier. Above all, e-businesses cant ignore the issue any longer and must develop policies and procedures for communicating security breaches to customers.

      “As a rule, [companies] really dont want this information to get out,” said Fred Rica, a partner in global risk management solutions for PricewaterhouseCoopers, in Florham Park, N.J. “Theyre afraid of eroding customer confidence and afraid that other people may try to exploit that security breach again.”

      No Doubt

      Egghead.com has been an excep- tion to that rule. The company started getting the word out in the few days after the breach by contacting the major credit card companies with which it works. Egghead.com told them to be alert to the possibility of fraudulent charges and to consider reissuing customers cards.

      The next step was to reach customers. Egghead.com took a two-pronged approach Dec. 22, sending the customer e-mail and informing the media. The security hole made headlines, some unflattering. And some customers complained that they wanted even more. But Sheahan said the publicity was worth it.

      “There was never any doubt this was the right way to go,” Sheahan said. “I have a personal belief that when youre open and honest with people, good things generally happen.”

      With its uncommonly open approach, Egghead.com may have avoided a larger sales and public relations disaster. Sales for the week between Christmas and New Years—right after the disclosure—met the companys pre-hack expectations, Sheahan said. As of press time, Egghead.com had yet to report its fourth-quarter 2000 earnings, which could offer more details on the security breachs effect.

      But, experts say, e-business managers should resist going public with information about security breaches unless theres a strong indication that customer information has been compromised. Public statements can alert hackers to your security vulnerabilities, and the more hackers know about a companys security methods, the easier it can be for them to attack systems.

      Companies might be better served by solving certain internal security problems discreetly, PricewaterhouseCoopers Rica said. Examples include a virus attacking a companys e-mail system or hack attempts thwarted before they do significant damage.

      Well-known sites face five or six hack attempts on most days, said Simon Perry, vice president of security services at Computer Associates International Inc., in Islandia, N.Y. Most companies dont want to alarm customers about each attempt. But if customer privacy is at risk, proactive communication is the best defense, experts say.

      Also, for public companies, if a security breach could affect the companys financial performance, then it needs to warn shareholders of the risks, said John Pescatore, an analyst at Gartner Group Inc., in Stamford, Conn.

      Even in cases where customer information remains safeguarded, companies should be ready to discuss their security problems publicly. The defacement of a companys Web site or denial-of-service attacks, for example, can grab customer attention. Hackers and the media are eager to disclose such incidents. E-businesses that find themselves subject to such unwanted attention should be prepared to explain what happened and how the situation is being fixed, experts say.

      Companies such as Travelocity.com LP discovered how quick the media is to notice breaches. Late last month, the site accidentally revealed the names and addresses of about 40,000 site visitors who participated in online contests. The Fort Worth, Texas, online travel services company learned of its mistake from media reports and then issued a public statement about the problem.

      “Thats the environment were in right now, and its a very new environment especially for IT experts who are used to dealing with IT and security issues as an internal issue,” said Thomas Barritt, senior vice president and director of issues management at public relations company Ketchum, a subsidiary of Omnicom Group Inc., in New York. “Now the public knows much more about it and knows the risk about providing personal and financial information online.”

      Be Prepared

      While experts praise companies such as Egghead.com for communicating quickly with customers, they add its not enough just to react to security breaches. Long before theres a problem, companies need to come up with policies and procedures for how they will handle customer and media communications as part of their Internet security plans, experts say. That was one step Egghead.com hadnt taken before its crisis. Sheahan said the company has since turned what it learned into guidelines for communicating security problems.

      When a company decides to inform customers of a security breach, it needs to be careful about what it says. It must make it clear it is taking action to solve a security problem and be upfront about what risks customers face, Gartners Pescatore said.

      Once the word is out, companies must remember that customers will want continual updating. That was one crack some customers found in Egghead.coms approach. After its initial e-mail to customers Dec. 22, the company waited until Jan. 8 before providing any direct update. That led some news outlets to write about customer frustration in waiting for Egghead.com to tell them whether their credit card numbers were fraudulently taken.

      For Bill Caswell, an Egghead.com customer who found a fraudulent charge on his credit card bill, the e-mails didnt provide enough information. Caswell, of Silver Springs, Md., wanted details on what type of charges to look for on his credit card bill. He called his credit card issuer once he noticed a bizarre charge from a Russian telecom company. His bank blamed the Egghead.com hack.

      For its part, Egghead.com has acknowledged that about 7,500 of its customers reported fraudulent charges, but the company maintains that none were linked to its breach and could have occurred from other companies security problems. Egghead.com officials said they were limited in what they could tell customers after the companys first e-mail because the hack had led to an investigation by the Federal Bureau of Investigation, Sheahan said. Also, Sheahan said that he delayed updates because he wanted security experts brought in to diagnose the problem to first find out what was compromised.

      At the same time, Egghead.com assigned about a dozen customer service representatives to handle customer calls about the security issues.

      With the heightened awareness of security and privacy and an economy beating up on dot-coms, e-businesses cant afford to lose customers. They must be prepared to share bad news with customers when security failure comes, said Deborah Pierce, a staff attorney for the Electronic Frontier Foundation, an advocacy group in San Francisco.

      “If companies are serious about wanting to build trust on the Net, then this is one of the key places where they can prove it,” Pierce said.

      Matthew Hicks
      As an online reporter for eWEEK.com, Matt Hicks covers the fast-changing developments in Internet technologies. His coverage includes the growing field of Web conferencing software and services. With eight years as a business and technology journalist, Matt has gained insight into the market strategies of IT vendors as well as the needs of enterprise IT managers. He joined Ziff Davis in 1999 as a staff writer for the former Strategies section of eWEEK, where he wrote in-depth features about corporate strategies for e-business and enterprise software. In 2002, he moved to the News department at the magazine as a senior writer specializing in coverage of database software and enterprise networking. Later that year Matt started a yearlong fellowship in Washington, DC, after being awarded an American Political Science Association Congressional Fellowship for Journalist. As a fellow, he spent nine months working on policy issues, including technology policy, in for a Member of the U.S. House of Representatives. He rejoined Ziff Davis in August 2003 as a reporter dedicated to online coverage for eWEEK.com. Along with Web conferencing, he follows search engines, Web browsers, speech technology and the Internet domain-naming system.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×