Hacking is in the news with a vengeance this week thanks to TalkTalk and their loss of the personal data for 4m customers. The details of what happened are not really clear, with police arresting a 15-year-old in Northern Ireland and bailing him out just as some security experts are suggesting it was a Russian attack.
The details will emerge in time, but as each day goes by it seems to get worse for TalkTalk. The Information Commissioner could fine the company up to £500,000 if it is proven they did not protect customer data and lawyers specialised in class-actions are suggesting that compensation of £1,000 per customer might be in order.
Ambulance-chasers will always be found circling like vultures around any corporate disaster, but three things about the customer experience really stood out for me in this crisis and neither were handled well by TalkTalk.
1. Customers should expect security as a right; a company with millions of customers and personal financial details for each one on file just does not store customer data without serious encryption. Customers have a right to expect that their information is secure with the brands they choose to engage with.
2. Apologise in a meaningful way; TalkTalk has said that they will only consider compensation if customers have found their bank account attacked because of this data breach. Class action lawyers think they can get more even if customers have not faced a loss. Why doesn't the company make an immediate offer of some token that will encourage brand goodwill? Perhaps not charging any customer for their October bill would be an apology that every customer hears?
3. You don't attack your customers; some outraged customers have suggested that they want to break their contract so they can move to a company that will respect their personal information. The response from TalkTalk was to issue penalty notices, fining customers hundreds of pounds for wanting to leave.
In mitigation, TalkTalk were caught out. They didn't expect this to happen and the penalty clauses are an accepted feature of the standard customer contracts. However, this is now 2015 not 1995. Every large company is under daily attack from hackers; from the teenager after a few quid in ransom money to state-sponsored economic terrorism.
I am not a lawyer, but I do understand the concept of force majeure - in exceptional circumstances normal contracts do not apply. TalkTalk has broken the confidence of all their customers by not respecting their personal data. Is a customer who wants to leave their contract early any guiltier of a breach of contract than TalkTalk themselves?
If I were in the shoes of TalkTalk CEO Dido Harding I would be doing two things right now. Firstly, preparing a good resignation speech because the executive management will eventually have to take responsibility for leaving the company open to attack. A security expert from Urity Group is already saying publicly that he warned TalkTalk last September that they were extremely vulnerable to attack after he had worked on their payment systems. More warnings and stories of corporate inaction will almost certainly emerge soon.
Secondly, and possibly the most important thing the company could be doing right now, is to go on a charm offensive. The deck is burning. A loss of all customer data could be enough to finish many companies. They have nothing to lose so why not go all out with loyalty deals for existing customers and special packages for those customers who will join in the middle of a crisis?
Harding needs to get out there and turn the endless media discussion about the TalkTalk brand from negative to positive - if it is at all possible and while she remains in post. More charm a fewer attacks on (understandably) disgruntled customers seems to be what is needed if TalkTalk want to survive this crisis.
This blog originally featured on Engage Customer.