What is the long term reputational effect of a cybersecurity breach? TalkTalk – 12 months later

Cybersecurity has featured heavily in the news during 2016, with large data breaches at Yahoo, LinkedIn, O2 and Sage all making the headlines.

The World Economic Forum’s Global Risks Report 2016 ranked cybersecurity as the greatest risk to doing business in North America and the second biggest risk for the UK. Globally, cyber attacks rank among the top five risks for 27 different economies.

Download a PDF of the full Cybersecurity report

The financial consequences of a cyber breach are increasing significantly with suggestions that Yahoo’s breach could cost its stakeholders $1bn, while TalkTalk was hit with a record £400k fine by the Information Commissioner’s Office (ICO), following a breach of over 150,000 customers in October 2015.

This could get even more severe, with new EU legislation due to come into effect in 2018, the Payment Card Industry Security Standards Council (PCI SSC) has warned that UK companies could be at risk of up to £122bn in penalties related to cyber breaches.

When TalkTalk originally suffered the breach in October 2015, alva analysed the effect this had on its reputation, potentially impacting customer retention and new customer purchasing intent.

A year on from the breach and in light of the record fine, we wanted to revisit this incident to understand more about the longer term affects of a data breach, including:

• Has TalkTalk’s reputation recovered?
• How closely is TalkTalk still associated with cybersecurity?
• How has the wider issue of cybersecurity evolved since this incident?

Has TalkTalk’s reputation recovered?

One of the most interesting factors about the TalkTalk breach was that it was not an isolated incident. The October 2015 breach was actually its third in a 12-month period and our analysis showed that each subsequent breach magnified the reputational damage to the company and prolonged the exposure.

Most companies in our report that had suffered a single breach saw a good recovery in their reputation after just three days, however, TalkTalk’s was still falling in this period. So how long did it take for TalkTalk to normalise and how has its reputation evolved since?

Figure i: TalkTalk: Short term impact of October 2015 Cyber breach

In the three-week spell before the breach, TalkTalk’s reputation score was relatively steady, averaging out at 5.36.

However, as Figure i shows, the strong negative reaction to the breach meant that it took another 24 days, (A–B) for its reputation to recover to a similar score, and this was only for a single day.

TalkTalk’s reputation continued to fluctuate strongly after this, including a pronounced trough following coverage of the arrests of the accused hackers in late November. It took until the final weeks of the year before its reputation recovered to a level similar to its pre-breach score.

This shows that the October breach continued to directly affect TalkTalk’s reputation for almost two months (A-C), 19 times longer than the 3 days experienced by most other hacking victims we analysed.

Expanding the period analysed, we can also review the medium-longer term affect.

Figure ii: TalkTalk: Medium-Long term impact of October 2015 Cyber breach

Figure ii shows TalkTalk’s sentiment trend in the 12 months following the breach. While TalkTalk’s reputation did begin to level off again, its average reputation in 2016 is still 2.26% lower than the 90 days prior to the October breach. In fact, if we focus on the most recent 30 days (26^th July – 23^rd October 2016), the gap is widened further to 3.02%, partially due to the burst in negativity around the ICO fine.

Another interesting point is that all the major dips in TalkTalk’s reputation correlate with incidents related to the third data breach. This suggests it is a sticky issue and we will investigate this in greater detail later in this piece, when we analyse how closely the brand is still associated with cybersecurity.

It is also interesting to consider how TalkTalk’s issues fit in with the wider Telecoms industry. Our data reveals that the general reputation of the Telecoms sector is very stable. When we remove TalkTalk from the analysis, the industry’s average reputation in 2016 is identical to the average score prior to TalkTalk’s breach (5.59).

During the period following TalkTalk’s 3^rd cyber breach, when its reputation was most negatively affected, the wider industry actually saw a slight reputational increase (5.61). it would therefore appear that TalkTalk’s difficulties were not influenced by wider industry issues and the industry itself escaped any related fallout from the issue.

Prior to the third breach, TalkTalk’s reputation trailed the sector average by 3.64%. In 2016, TalkTalk’s reputation now trails the sector average by 6.08%, highlighting the impact the cyber breach has had. In an industry with a consistent reputation, any fall of this nature means that the company faces a significant challenge to regain consumer confidence.

Overall, we can see that in the short term, TalkTalk’s reputation took significantly longer to rally than other brands who only experienced a single breach. However, what will be of more concern is that even a year on, its reputation has not fully recovered to the level it had before the October 2015 breach.

How closely is TalkTalk still associated with cybersecurity?

In the ten months leading up to the October 2015 data breach, cybersecurity only accounted for around 1.5% of all content related to TalkTalk. This was double the industry average of 0.7% of content related to this issue, but as TalkTalk had experienced two breaches in this period, it had weathered the problem well.

However, since the breach, 17% of all TalkTalk’s content has been related to cybersecurity, highlighting the extent to which the brand has become connected with the issue.

Figure iii: Percentage of TalkTalk’s content related to cybersecurity, before and after Oct 15 breach

To understand more about how the issue has progressed since the breach, we can isolate the topic of cybersecurity and track how often it is discussed in connection to TalkTalk, and the sentiment score for just this issue.

Figure iv: Volume of TalkTalk content related to cybersecurity

Content volumes for cybersecurity peaked at just under 23,000 in October and November 2015, so Figure iv zooms in to highlight the general trends across the last two years. What soon becomes clear is that following the third breach, cybersecurity is now much more associated with the brand.

The peaks in cybersecurity content closely correlate with the steepest sentiment declines in Figure ii, emphasising the impact that this issue has on TalkTalk’s overall sentiment. It is also revealing to note that while the company suffers high volumes of negative coverage from incidents that are out of its control, e.g. the arrests and trials of the hacking suspects, TalkTalk was also vulnerable from its own announcements, such as its financial results or its communications around the arrests of its staff in India.

Looking at how this fits within the wider Telecoms sector, we examined TalkTalk alongside 11 of its peers to discover how this incident affected its standing in the industry, and to check if TalkTalk’s cybersecurity issues were becoming associated with the sector as a whole.

In the ten months before the October 2015 breach, 7% of all content related to Telecoms cybersecurity referenced TalkTalk, roughly the split expected across 13 companies.

However, since the breach, TalkTalk has been referenced in 60% of all cybersecurity content about the Telecoms sector. This huge increase shows that TalkTalk is now five times more associated with cybersecurity than its closest peer.

Figure v: Telecoms content related to cybersecurity before TalkTalk breach

Figure vi: Telecoms cybersecurity content after TalkTalk breach (Oct 15-Oct 16)

We have seen that TalkTalk’s sentiment experienced a series of strong troughs since the breach, but should the wider telecoms industry be concerned that they have been tarred with the same brush?

Overall we can see that the connection between TalkTalk and cybersecurity has proven to be robust. This has been amplified by the ongoing legal action and by the first financial results following the breach. It will be interesting to review if this connection remains in subsequent company announcements or once the legal cases are resolved.

However, the record ICO fine would suggest that it will have some influence in how the 2017 announcement is reported and it will be up to TalkTalk to factor that into its communications.

How has the wider issue of cybersecurity evolved since this incident?

TalkTalk has shown the impact a series of cyber breaches can have on both the short and longer-term reputation of a company. This potential for reputational damage, as well as increasing fines, has placed cybersecurity high on the agenda of many of the world’s leading brands, but how have public perceptions changed in the last year? 

Figure viii: Monthly content volumes related to cybersecurity across all industries

Despite some high profile corporate victims, the amount of public discussion related to cybersecurity has actually been declining over the last two years.

There are numerous possible explanations for this fall. In 2015, Marsh’s UK Cyber Risk Survey Report recorded 60.8% as having a basic-to-complete understanding of the threats cyber security risks posed to their business. In 2016, this had risen to 83.8%, suggesting that businesses have generally become more robust around this issue, taking it more seriously at board level and thus taking internal security steps that reduce the risk of exposure.

Nevertheless, this does not mean they are immune. The UK government revealed that two thirds of large UK businesses have been by a cyber attack in the last year. Looking ahead, another recent survey of information security professionals stated that 72% expect their organisation to have to respond to a major cyber breach within the next year.

The sheer volumes of incidents mean that only the major breaches are reported in the press, while consumers are also becoming more familiar with the topic meaning it is no longer as shocking an issue. There is a degree of reluctant acceptance that determined hackers can occasionally breach even the most secure platforms.

However, while an increased familiarity with the subject may result in a reduction in column inches, it does not necessarily mean that the public view of cybersecurity has shifted.

The issue is still viewed very negatively with an average score of around 4. There is not a single week in which public sentiment even reaches the neutral score of 5.5.

Overall, this suggests that while coverage may be falling on this issue, the public and media will still react with strong negativity if they view a series incident being due to negligence on the part of the company that was hacked.

Conclusions & Takeaways

Even a year on, it is clear that TalkTalk is still suffering reputational damage from the large October 2015 cyber breach. This presents a significant challenge for the Corporate Affairs and Communications teams who find themselves in similar situations.

When there are legal procedures, there will occasionally be events that widely reference the incident (arrests, trials, verdicts) which are out of their control, but reinforce the issue in the public consciousness.

However, it is also important that they view the company’s other major communications through the lens of this issue. They can potentially mitigate negativity by anticipating how these announcements will be perceived in relation to the incident and frame the message accordingly.

In TalkTalk’s case this could have reduced suspicion and fears of another breach when arrests were made in their Indian call centre, as well as contextualising their executive pay strategy when their yearly financial results were announced.

Therefore, it is vital to identify the issues that are of the most concern to your stakeholders, track how they develop over time and consider how they might affect other company communications and prepare these in advance.

Download a PDF of the full Cybersecurity report