Mastodon

The 5 Stages of Data Breach Grief

When you see something play out enough times, you start to notice patterns. I was reflecting on this today as I watched The AA rapidly digging themselves in deeper and deeper after publishing 13GB worth of customer data to the internet, including partial credit card data. Which they denied:

Problems is, this statement is entirely false as Graham Cluley subsequently pointed out:

Right about now, a sane person would think "well, it's time to come clean and face the music", but it turns out that's just not The AA's style:

Which got me thinking about the whole data breach pattern thing and in particular, how it relates to the 5 stages of grief. And a data breach in many ways is like that: it's a series of emotions experienced by someone who's lost a loved one, it's just that the loved one is their data! But seriously, it actually aligns well and it both explains The AA's behaviour and foretells what's about to come next. Let's go through it.

1. Denial

Let's be fair - a breach is always going to come as a shock. It's an emotional time and reactions are often compulsive and not well thought through. It's not overly surprising that we see statements like this:

No credit card info was compromised

It's not just The AA, many have gone before them and as I said earlier, it's a predictable pattern. We saw exactly the same thing from PayAsUGym (also in the UK):

But the denial stage is fleeting and it rapidly descends into the next stage - anger.

2. Anger

Apparently, anger is a part of the healing process and if that's the case, The AA must be on the mend because that seems to be where they are now if Graham's earlier tweet is anything to go by:

A company on the receiving end of a breach is looking for someone to blame: "Who did this?! This is outrageous! We're gonna get you!" They're pissed and if we put aside our frustration at their behaviour for a moment, you can understand this. They've been broadsided by something they didn't see coming and whilst yes, it's almost always due to shortcomings on their own behalf (The AA published their database backup to a public website with no access controls), you've gotta have a little sympathy for the predicament they're now in.

Regardless, their present behaviour has now landed them squarely in Streisand effect territory as the press increasingly covers their ridiculous responses. I suspect that over the next couple of days, The AA will emerge from the anger stage and enter the next one - bargaining.

3. Bargaining

This is an important stage of data breach grief because it's the beginning of the acceptance that there's no putting the genie back into the bottle. The breach has happened, now we've gotta deal with it.

Bargaining takes many forms, for example an admission of guilt: "Ok, we screwed up, here's what happened" and along with it, an offering of sincerity "We're sorry this happened". I actually caught a little glimpse of this in an earlier tweet, also it still clearly shows signs of also being in the denial stage:

The bargaining stage involves attempting to win back consumer confidence: "You can trust us - we're taking it seriously". I hope The AA will be here by the end of the week and the passage of the weekend will allow them to transition into the next stage - depression.

4. Depression

Until this stage, there's a lot going on: media attention, angry customers and yes, bloggers and folks on social media giving the company a hard time. But it's fleeting - it always is - and after this once the initial noise has died down, there's real work to be done.

The company now has to reflect on what went wrong and how it was all handled. This is not fun and yes, heads may roll. Ashley Madison was a prime example with the incident ultimately leading to the resignation of the CEO. I'm not sure exactly how it will play out with The AA but we've certainly seen precedents where it's been an exceptionally hard stage for the organisation.

There's also regulators to deal with. In this particular case, the UK's ICO (Information Commissioners Office) and they're now reportedly looking into things:

We are aware of an incident involving the AA and are making enquiries

I imagine that "depressed" is a reasonable adjective to use when describing how you'd feel when under investigation by a regulatory body with precedents such as the ICO recently fining TalkTalk £400,000. Especially in light of The AA having been informed of the breach in April, electing not to notify impacted customers and then misleading the public via false statements intended to downplay the severity, it's fair to assume that discussions with the regulatory body will be "depressing".

But eventually, they'll come out the other side and into the final phase - acceptance.

5. Acceptance

Sooner or later, every company ends up "owning" its data breach. The reality of the situation catches up, the cleanup and the regulatory responsibilities are handled and life goes on. As with PayAsUGym, The AA will ultimately fess up, admit to the loss of card data and give their customers the answers they deserve. There is no alternate ending as far as an admission goes, there is only acceptance of the facts.

I did a talk in Amsterdam a couple of days ago to hundreds of people at TomTom titled Clouds, Codes and Cybers and someone asked "Have you ever seen a company handle a data breach well?", to which I responded, "Yes, there's actually a very good precedent of this". I played a piece from a recent talk on responsible disclosure and I've embedded a video at precisely that point here. Have a listen to how the CEO of the Australian Red Cross Blood Service owned their breach:

Shelly and co would have gone through all the same stages of grief, yet they got through to acceptance within 72 hours. Every company eventually reaches acceptance and business ultimately resumes, it's just a question of how much pain they inflict on themselves and their customers whilst they get there.

Summary

This is almost certainly an unfamiliar process for The AA and to a degree, I can empathise with their reaction insofar as I can see what's causing them to behave in this way. But for folks like Graham and myself (and many of our readers), it's just another day on the internet and another data breach playing out to a predictable end.

There will be many good tech folks within The AA doing much face-palming at the way this has been handled. Many times in the past, I've covered incidents where a company has been sorely lacking in either their security or their public responses and have subsequently had people from within the organisation approach me at events telling me just this; that they despaired at how their company handled the incident but equally, that the coverage forced positive change. The reaction from The AA isn't representative of these people, it's lawyers and PR people attempting to put a spin on the incident without the foresight to realise the inevitable conclusion nor how the fundamentals of how security and privacy on the web work.

For the good folks there genuinely attempting to get things back on track, maybe slip this link up the chain: Data breach disclosure 101: How to succeed after you've failed

Edit (a couple of days later): Right on schedule, The AA transitioned into the bargaining stage:

As I said earlier, this was a predictable end, it's just a shame they didn't do the right thing in the first place and have instead had to suffer the indignity of being caught misleading their customers. But again, this is a predictable pattern and it won't be the last time we see it either, but at least I now have a handy reference point for how it will play out again in future :)

Security
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals