OK, here goes - I think she’s done a decent job.
For the legions of self-righteous communications professionals (I use the term loosely) who have jumped on the ‘let’s beat up Dido Harding’ bandwagon, the title and first line of this article will be enough for me to be condemned as an apologist for the recent TalkTalk hack. I’m definitely not that – based on what has been said on the record it seems to me that the company itself has been at best careless, and at worst negligent, in its failure to protect the personal data and identities of its customers.
I’ve also never met Harding and I don’t have any personal or professional association with TalkTalk. But as part-owner of a PR agency operating in the technology sector, and as someone who has headed communications and investor relations for a similar public company, I do have a professional interest. Like many in the comms industry I’ve been watching the story unfold and, on balance, my view is that in very difficult circumstances Harding has equipped herself well.
The primary criticisms of TalkTalk appear to be:
• That the company failed to adequately protect customer data
• That the company failed to encrypt the data in question (or that they didn’t know if it was encrypted)
• That Harding failed to communicate with the company’s customers in a timely fashion
• That the company is taking a hard line in refusing to release customers from their contracts
So let’s deal with those criticisms one by one. On the issue of failing to protect the data in the first place, it would appear that TalkTalk is guilty as charged. But should we be holding Harding personally responsible? If she knowingly ignored the warning signs of the last two hacks at TalkTalk then perhaps we should.
I very much doubt that is the case though and if we examined her outbox, I’m willing to bet there are very strongly worded demands that her security team get their act together. We surely can’t expect every chief executive to have an encyclopaedic knowledge of cyber security – that’s not their job – and so she has to rely on the experts she has, or sack them and get a new team.
As far as the encryption question is concerned, this is a probably a red herring. The sort of hack being described would involve the hacker being granted access rights that would decrypt any encrypted data, and so it really doesn’t matter if it was encrypted at source or not. There isn’t much Harding could do about that once the hack had taken place and I’m certainly not going to condemn her for knowing little of data encryption technologies.
Now we move to things that were in Harding’s control, starting with the initial communication being delayed by 36 hours from the point the hack was discovered. Of course there has been conjecture that the hack happened days or even weeks before that. But this is another red herring - guess what, the very nature of hacking means that you don’t necessarily know you’ve been hacked until you start seeing the collateral damage.
Having been involved in similar situations I have a fair idea of what Harding faced. I’m assuming she assembled her internal team very quickly for an initial assessment and that was likely followed by calls to the Metropolitan Police Cyber Crime Unit, to the relevant regulators, to board members and a host of others.
What we don’t know is what happened after that initial flurry, but it is almost certain (and sensible) that the security team would have wanted some time to secure the ‘holes’ before the CEO went public with a statement saying the system had been hacked. It also isn’t beyond the bounds of possibility that the Met asked for time to investigate before the announcement was made just in case trail was still ‘hot’.
The initial announcement was textbook crisis management. Harding was honest, open, apologetic and didn’t hold back. She let everyone know what the worst possible outcome was and individual customers and financial institutions were put on alert to watch for any suspicious activity. She may have looked like a rabbit in the headlights during that first television interview, but that probably had more to do with a lack of sleep and the immense complexity of dealing with the fallout. Those who haven’t held a senior role in a large, regulated, B2C public company will have no idea what it is like dealing with the multiple pressures of customer, shareholder, regulator and other stakeholder communications in a crisis situation.
Finally, on the hard line attitude to customer contracts, this is also an understandable position. TalkTalk is a public company and as a result, whether we (or she) likes it or not, Harding has a primary fiduciary responsibility to her shareholders to limit the financial impact. TalkTalk is a low margin business, and customer churn has a dramatic impact on the bottom line. I’m sure she will have thought very carefully about the position, however it now appears, that the leaked data, by itself, isn’t enough for customers to be exposed to financial loss, if they take normal precautions and follow the advice given. It was the right decision in my view – even if it wasn’t particularly palatable.
To summarise, it’s an incredibly difficult position to be in and to handle professionally and intelligently. Assuming I’m broadly correct in my analysis of the situation, Harding has performed credibly and limited the damage to the company and to its customers as far as possible. What she does next to restore the reputation of the company will be the real measure of her tenure as CEO of a company that remains in crisis.
Ian Hood is managing director of Babel PR.