Analysis: There is little precedent to show how much a cyber attack affects reputation.
TalkTalk‘s cyber-breach in 2015 was a watershed moment for cyber security, not just because of its scale, but because it was one of the first to really impact the headlines.
The iCloud hack of 2014, which saw the private photographs of celebrities being released to the public, was another example, as was the Ashley Madison hack in 2015 or the Sony hack in late 2014.
Where it differed from the above breaches, however, was that rather than Hollywood actors, people seeking affairs or the employees of a company, the victims were ordinary telecoms customers. In addition, the details that were stolen were not simply embarrassing but financial; they could potentially be used to steal significant amounts of money from customers.
Perhaps it should not be a surprise then that TalkTalk saw its share of new customers in the home services market fall 4.4 percent in the last three months, according to Kantar WorldPanel. Only 1.4 percent of these people gave reliability as a reason for joining TalkTalk.
Apparently 7 percent of its broadband base turned to a different provider in the same period, with 40 percent of this lost share going to BT.
Almost a fifth of those leaving cited ‘poor reliability’ as the direct cause. This was a dramatic increase from the previous quarter, when fewer than 1 percent cited this reason.
This is not the first evidence of this. According to YouGov BrandIndex, all of TalkTalk’s reputation scores plummeted quickly after the event.
The Buzz score, which measures whether a respondent has heard something positive or negative about a brand in the last two weeks fell from -1 to -50.
TalkTalk’s Reputation score fell from -10 to -34 by 26 October. Meanwhile, the Recommend score fell from -7 to -39.
Another more tangible effect of the hack has been that since 22 October, TalkTalk’s share price has fallen 27 percent.
However, the decline of TalkTalk’s reputation is only part of the picture.
Bob Tarzey, Analyst and Director, at Quocirca said that he had not observed "much evidence of Sony customers abandoning the company after it was attacked."
"However, a gaming vendor will have a stronger bond with customers than a utility broadband provider," he said.
As Tarzey notes, telecoms providers are subject to a certain amount of ‘churn’ anyway, with factors such as marketing and promotions, as well as special offers, often luring customers from one to another.
"The point is that any Talk Talk loss of subscribers needs to be understood against background churn.
"Anyone considering changing broadband provider will have heard the bad headlines and perhaps been put off. So, it could be that people are leaving Talk Talk at the same background rate, but it is finding it harder to attract new subscribers to replace them."
- 21 October: The hack takes place. A Distributed Denial of Service attack is used as cover as hackers exploit a vulnerability in the site and customer details are stolen.
- 23 October: TalkTalk announces the hack in a post on its website. It is believed that as many as 4 million customer accounts may have been affected. CEO Dido Harding confirms on the same day that the company received a ransom note from a group claiming responsibility for the breach. The Metropolitan Police launches an investigation into the attack.
- 26 October: TalkTalk customers claim to have been affected by the data breach before the data and time given by the company. Pensioner Judy Gunning, interviewed in the Mirror and Telegraph claimed to have lost £15,000 after being contacted on 10 September.
- 27 October: First suspect arrested in connection with the hack, a fifteen-year-old boy, under the Computer Misuse Act.
- 30 October: Another suspect arrested.
- 6 November: TalkTalk reveals that only 4 percent of customers’ data was accessed in the hack. This meant that 156,959 customers had their personal details accessed. TalkTalk also said that the credit and debit card numbers that were accessed were obscured.
- 11 November: Harding reveals estimates of a one-off cost to the company of between £30 million and £35 million.
- 25 November: A further arrest is made.
- 15 December: Harding gives evidence to the Culture, Media and Sport select committee to defend her company’s record on cybersecurity.
This aftermath to a cyber-attack is by no means universal. The adultery website Ashley Madison has actually seen its share of subscribers increase since it was hacked in August, from around 37 million then to over 43 million at the time of writing.
However, the lack of a comparable event to the TalkTalk hack means that it is hard to see a smooth path to restoring trust after an attack.
"Customers have lost faith in TalkTalk as a trustworthy brand," said Imran Choudhary, consumer insight director at Kantar Worldpanel. "If it’s to recover from recent events TalkTalk will need to offer more than just good value."
Quocirca’s Tarzey said, "Its best bet is if a competitor gets hacked too, showing that all companies are vulnerable.
"That would show: first, if its competitors are any better prepared for such an event (which would not be too hard) and second, if consumers are really respond to security concerns more than other factors (which I doubt.)"
In Harding’s hearing with the Culture, Media and Sport Committee, she accepted that "of course [she] would" have done more on cybersecurity if she had the time again.
She also said that "I’m not going to pretend I think that TalkTalk got everything right; clearly there will be lessons for us to learn from this."
However, she was firm in defending the procedures that were already in place.
"I am confident that we had a very robust and clear plan."
She said that cybersecurity was an item at every board meeting and that the board had detailed in-depth sessions three times in the course of the last nine months.
So while the telco believed at the time that it was doing all that it needed to do to prevent one, it couldn’t be aware of the gaps in its awareness. It is hence difficult to draw a clear line between cybersecurity investment and a lack of attack and impossible to guarantee invulnerability.
This is just one problem. Even in a perfect world where TalkTalk could invest heavily in cybersecurity, plug the gaps in its defences that it is aware of and be certain of never suffering another attack, it is unclear how it can translate this into a clear pitch to customers.
TalkTalk’s performance in the future will reveal whether significant damage has already been done.