cybersecurity

Storytelling Lessons From Capita’s Handling Of Its Data Breach

I suppose it’s ironic that a company offering cyber-security services gets hacked. But if it is then surely the upside is that it knows how best to communicate about it. Not it would appear, if you are outsourcing giant, Capita plc. 

PROs are being given a ringside seat in the difficulties inherent in such a situation but also how not to handle communications following a data breach. This is a real world scenario we will be using in our media and crisis training. Particularly on how to frame your issue or crisis with a compelling narrative even when you’re not sure what has happened. 

Is this a crisis for Capita? I do not think it poses an existential threat to the company and with only a 10% fall in its share price in the first three weeks, maybe investors don’t think so either (albeit that its share price is at its lowest in two decades). But it is an issue that’s gotten out of hand, delivering one more dent to its already tarnished reputation.

On 22 March this year, state-sponsored hackers compromised Capita’s IT systems. Capita only became aware of the breach on March 31 when staff were prevented from logging into their systems. The IT outsourcing business has since issued two statements to the stock market that have been short and lacking in detail. Was this due to embarrassment? A desire not to fan the flames of reputation damage? A shrugging acceptance that they are one of the 39% of businesses to identify a cyber attack each year? Or some diktat of silence from the government given the large number of central and local government clients they have?

The first statement on April 3 referred to a “cyber incident” and said there was no evidence that data had been compromised. The next statement on April 20 acknowledged that there had been a data breach affecting 4% of its server estate. But that was only because The Sunday Times reported on April 16 that customer and staff information was being sold online.being unaware of this was not the best look for a company of Capita’s size and standing.

We are frequently asked in our media and crisis training which is more important in crisis communications – speed or accuracy? The answer is that speed is desirable and accuracy essential. And ideally you deliver both. Capita has been behind the curve throughout, forced to make admissions step-by-step as the full scale of the problem is revealed. This is a PRO’s nightmare – if you don’t know what has happened, then what should you be communicating? 

When you lack the full picture, put yourselves in the shoes of others. Remember that the victim of the attack is not your organisation. It is the customers and contacts whose private and personal information may have been compromised. What do they need to hear? 

It is natural not to want to draw attention to failure or to pour oil on troubled waters. But keeping quiet while trying to unpick exactly what has happened is contrary to good crisis communications practise. It leaves space for speculation and when external events move more quickly than you do, customer and public trust breaks down. The longer you take to come clean (or take to realise that there is something to come clean about), the more your customers will feel their trust has been violated. While you prevaricate, the criminals have more opportunity to exploit the data.

So what should Capita be communicating? The tenets of crisis communication are to express concern, commit to action and offer perspective. Capita has fallen short on all three but particularly on offering perspective. Who you are as a company can be a valuable touchstone to guide your response to an issue or crisis. 

Capita has failed to frame its media response with an engaging and compelling narrative – what among its values and competencies will be brought to bear to resolve this? What added value can Capita imply that it offers over rivals in managing this situation?  What in its record can give us confidence that it is ahead of the curve? 

The media and stakeholder context to the situation is that Capita suffers from a poor corporate reputation – for service delivery, for returns to shareholders, and as an employer. Instead of using the situation as an opportunity to redress some of this, Capita is testing – and eroding – trust. Instead of using all this media attention as an opportunity to define or reinforce its story, Capita has allowed others to set the narrative. 

Does it need help in defining what this is?

What next?

For help to prepare your organisation to manage a crisis and how to best communicate with the media and other stakeholders, call Andrew Caesar-Gordon on 020 7323 2770 or email us here https://www.electricairwaves.com/contact-us.

Scroll to Top