When you see something play out enough times, you start to notice patterns. I was reflecting on this today as I watched The AA rapidly digging themselves in deeper and deeper after publishing 13GB worth of customer data to the internet, including partial credit card data. Which they denied:
The AA Shop data issue is now fixed, No Credit Card info was compromised
— The AA (@TheAA_UK) July 3, 2017
& an independent investigation is under way. We're sorry.
Problems is, this statement is entirely false as Graham Cluley subsequently pointed out:
Yes - despite what it says - AA customer credit card data was exposed https://t.co/JJGwjj1DDN pic.twitter.com/R8mMOTzUbS
— Graham Cluley (@gcluley) July 4, 2017
Right about now, a sane person would think "well, it's time to come clean and face the music", but it turns out that's just not The AA's style:
A firm just warned me that I "could be in breach of the Computer Misuse Act" because I posted a (redacted) screenshot of their leaked data
— Graham Cluley (@gcluley) July 4, 2017
Which got me thinking about the whole data breach pattern thing and in particular, how it relates to the 5 stages of grief. And a data breach in many ways is like that: it's a series of emotions experienced by someone who's lost a loved one, it's just that the loved one is their data! But seriously, it actually aligns well and it both explains The AA's behaviour and foretells what's about to come next. Let's go through it.
1. Denial
Let's be fair - a breach is always going to come as a shock. It's an emotional time and reactions are often compulsive and not well thought through. It's not overly surprising that we see statements like this:
It's not just The AA, many have gone before them and as I said earlier, it's a predictable pattern. We saw exactly the same thing from PayAsUGym (also in the UK):
Question for folks in the UK - does "credit card information" mean something different there to what it does here? pic.twitter.com/IEBNa49cO5
— Troy Hunt (@troyhunt) December 19, 2016
But the denial stage is fleeting and it rapidly descends into the next stage - anger.
2. Anger
Apparently, anger is a part of the healing process and if that's the case, The AA must be on the mend because that seems to be where they are now if Graham's earlier tweet is anything to go by:
A firm just warned me that I "could be in breach of the Computer Misuse Act" because I posted a (redacted) screenshot of their leaked data
— Graham Cluley (@gcluley) July 4, 2017
A company on the receiving end of a breach is looking for someone to blame: "Who did this?! This is outrageous! We're gonna get you!" They're pissed and if we put aside our frustration at their behaviour for a moment, you can understand this. They've been broadsided by something they didn't see coming and whilst yes, it's almost always due to shortcomings on their own behalf (The AA published their database backup to a public website with no access controls), you've gotta have a little sympathy for the predicament they're now in.
Regardless, their present behaviour has now landed them squarely in Streisand effect territory as the press increasingly covers their ridiculous responses. I suspect that over the next couple of days, The AA will emerge from the anger stage and enter the next one - bargaining.
3. Bargaining
This is an important stage of data breach grief because it's the beginning of the acceptance that there's no putting the genie back into the bottle. The breach has happened, now we've gotta deal with it.
Bargaining takes many forms, for example an admission of guilt: "Ok, we screwed up, here's what happened" and along with it, an offering of sincerity "We're sorry this happened". I actually caught a little glimpse of this in an earlier tweet, also it still clearly shows signs of also being in the denial stage:
The AA Shop data issue is now fixed, No Credit Card info was compromised
— The AA (@TheAA_UK) July 3, 2017
& an independent investigation is under way. We're sorry.
The bargaining stage involves attempting to win back consumer confidence: "You can trust us - we're taking it seriously". I hope The AA will be here by the end of the week and the passage of the weekend will allow them to transition into the next stage - depression.
4. Depression
Until this stage, there's a lot going on: media attention, angry customers and yes, bloggers and folks on social media giving the company a hard time. But it's fleeting - it always is - and after this once the initial noise has died down, there's real work to be done.
The company now has to reflect on what went wrong and how it was all handled. This is not fun and yes, heads may roll. Ashley Madison was a prime example with the incident ultimately leading to the resignation of the CEO. I'm not sure exactly how it will play out with The AA but we've certainly seen precedents where it's been an exceptionally hard stage for the organisation.
There's also regulators to deal with. In this particular case, the UK's ICO (Information Commissioners Office) and they're now reportedly looking into things:
We are aware of an incident involving the AA and are making enquiries
I imagine that "depressed" is a reasonable adjective to use when describing how you'd feel when under investigation by a regulatory body with precedents such as the ICO recently fining TalkTalk £400,000. Especially in light of The AA having been informed of the breach in April, electing not to notify impacted customers and then misleading the public via false statements intended to downplay the severity, it's fair to assume that discussions with the regulatory body will be "depressing".
But eventually, they'll come out the other side and into the final phase - acceptance.
5. Acceptance
Sooner or later, every company ends up "owning" its data breach. The reality of the situation catches up, the cleanup and the regulatory responsibilities are handled and life goes on. As with PayAsUGym, The AA will ultimately fess up, admit to the loss of card data and give their customers the answers they deserve. There is no alternate ending as far as an admission goes, there is only acceptance of the facts.
I did a talk in Amsterdam a couple of days ago to hundreds of people at TomTom titled Clouds, Codes and Cybers and someone asked "Have you ever seen a company handle a data breach well?", to which I responded, "Yes, there's actually a very good precedent of this". I played a piece from a recent talk on responsible disclosure and I've embedded a video at precisely that point here. Have a listen to how the CEO of the Australian Red Cross Blood Service owned their breach:
Shelly and co would have gone through all the same stages of grief, yet they got through to acceptance within 72 hours. Every company eventually reaches acceptance and business ultimately resumes, it's just a question of how much pain they inflict on themselves and their customers whilst they get there.
Summary
This is almost certainly an unfamiliar process for The AA and to a degree, I can empathise with their reaction insofar as I can see what's causing them to behave in this way. But for folks like Graham and myself (and many of our readers), it's just another day on the internet and another data breach playing out to a predictable end.
There will be many good tech folks within The AA doing much face-palming at the way this has been handled. Many times in the past, I've covered incidents where a company has been sorely lacking in either their security or their public responses and have subsequently had people from within the organisation approach me at events telling me just this; that they despaired at how their company handled the incident but equally, that the coverage forced positive change. The reaction from The AA isn't representative of these people, it's lawyers and PR people attempting to put a spin on the incident without the foresight to realise the inevitable conclusion nor how the fundamentals of how security and privacy on the web work.
For the good folks there genuinely attempting to get things back on track, maybe slip this link up the chain: Data breach disclosure 101: How to succeed after you've failed
Edit (a couple of days later): Right on schedule, The AA transitioned into the bargaining stage:
AA apologises, and confirms customers' partial credit card data *was* exposed https://t.co/itEY7NagpJ pic.twitter.com/khoGg1k9Ws
— Graham Cluley (@gcluley) July 7, 2017
As I said earlier, this was a predictable end, it's just a shame they didn't do the right thing in the first place and have instead had to suffer the indignity of being caught misleading their customers. But again, this is a predictable pattern and it won't be the last time we see it either, but at least I now have a handy reference point for how it will play out again in future :)