When the media wrongly implicates you in a third-party data breach

Posted by Kelly White on May 1, 2018 6:48:15 PM

Be Prepared: The Media Might Drag you into a Vendor Data Breach Mess Even if Your Data Wasn’t Compromised

Kelly White | May 1, 2018

When your vendor gets breached, you might be dragged into the mess by media even if your data was not compromised. Consider the recent case of [24]7.ai data breach.

On April 4, 2018, online chat application vendor [24]7.ai publicly reported that they had “an incident potentially affecting the online customer payment information of a small number of our client companies…” Shortly afterwards, well-known corporations Delta, Sears, Kmart and Best Buy released statements acknowledging that their customer data was impacted by this breach.

Most of the media coverage stuck to the information that was publicly confirmed by those companies impacted by the breach; but a few articles were more speculative. One such example was published by CNET, who, through some fast internet sleuthing, discovered an unrelated article that made mention of other [24]7.ai customers (yourstory.com). Leveraging that information, CNET publicly speculated that these companies may possibly have also been victims of the [24]7.ai breach:

“It's not clear if other companies have been affected. A January profile of [24]7.ai listed American Express, AT&T, Best Buy, Citi, eBay, Farmers Insurance and Hilton as possible clients of the chat company as well. A [24]7.ai spokesperson declined to comment, citing confidentiality agreements” (www.cnet.com).

This happened within hours of [24]7.ai’s initial public disclosure of the breach. Only Best Buy, who was on CNET’s speculation list, actually confirmed later that day that their data was in fact compromised. The other companies on that list have made no public comment on the matter, likely indicating they were not impacted. But it’s also likely that those companies are nonetheless fielding unnecessary calls from customers, the press, and even regulators whose interest would peak from a journalist’s unsubstantiated pondering.

Reasonable speculation is to be expected by journalists seeking interesting stories for their readers. Unfortunately, media speculation can also create a public relations problem for companies that get falsely named in incidents such as breaches. In such a situation, control of your own narrative is lost, and unnecessary cycles are spent on damage control.

While granting permission for your vendor’s public use of your name is common practice for satisfied customers, in an environment of rampant data breaches, it is probably worth thinking twice before allowing that privilege.

 

Topics: Vendor Risk Management, Third Party Risk