In light of the recent hacking and targeting of data in major industries, we wanted to see how a few of the largest data breaches in the past three years have been covered by the media and how affected companies reacted.
This week, Capital One was enjoying some nice press following their commercial featuring Taylor Swift, before they broke the news that they’d suffered a data breach back in March. After listing the details on all platforms, news sites quickly began picking up the story Monday night.
With last week’s news cycle heavily featuring Equifax’s reckoning with their own data breach in 2017, we thought it would be a good idea to dive deeper into what happens after reports of a data breach surface, and how companies have handled distribution of information in the wake.
Equifax Data Breach Engagements to Web Content in 2017
We’ll start with Equifax in 2017: The breach lasted from mid-May through July of 2017. Hackers were able to access people’s names, Social Security numbers, birth dates, addresses and even some driver’s license numbers. Credit card numbers for just over 200k people were stolen and the personal information of some in the UK and Canada were also hacked. Equifax did not publicly announce the breach until six weeks later, and worse for the fallout, it was revealed later that three of the company’s top execs sold Equifax shares mere days after the breach was discovered on July 29th. Stories about the breach did not break until September, and Equifax tweeted September 7th acknowledging it, but people were furious about the lack of transparency during the incident.
Nearly 35,000 articles covered the breach, driving 2.1 million interactions across all networks. The sheer number of people affected, 143 million, and the high sensitivity of the data hacked, launched the breach into the news cycle for weeks. As far as recourse for the massive breach? Last week, nearly two years after the original announcement, consumers are just barely starting to submit claims after Equifax agreed to a $671 million resolution on July 22.
Coverage of their long-awaited restitution has peaked at 2.2 million engagements and stories instructing those affected how to file a claim have topped the list.
Equifax Data Breach Engagements to Web Content in 2019
Moving into 2018’s security incidents, Under Armour announced a data breach in 2018, affecting millions of users. On March 29, Under Armour releases a statement notifying users of the My FitnessPal App there had been a data breach in late February, affecting 150 million people’s accounts.
Under Armour Data Breach Engagements to Web Content in 2018
Under Armour reported the affected information included usernames, email addresses, and hashed passwords but not did not include government-issued identifiers (Social Security numbers and driver’s license numbers) because My FitnessPal does not collect those. Local publisher Baltimore Sun (where Under Armour’s headquarters are located) broke the initial story and overall coverage peaked at a manageable 72,000 engagements, significantly lower than Equifax’s 2.1 million engagements.
Under Armour’s decision to alert customers only four days after learning about the breach, both through a company statement and the My FitnessPal App where the breach occurred, seems to have contributed to a shorter period spent in the news cycle. The type of data stolen was less sensitive than Equifax, which also might have helped calm the media storm.
Capital One Data Breach Engagements to Web Content 2019
Finally, hot on the heels of Equifax’s payout and resolution for its 2017 breach, Capital One announced their data breach by way of a company statement on July 29th, which quickly spread to various news outlets, the first of which was local publisher The Houston Chronicle. Past data breach coverage has often emerged from smaller, local publishers before being picked up by mainstream outlets. Capital One posted a statement directly to their website as well as pushing out links to all of their social platforms.
Capital One is still in the height of their coverage, and as of August first, engagements to stories about the breach are at 1 million and climbing. While they only waited 10 days to formally announce the breach after being notified of it on July 19th, the sensitivity of the data (Social Security numbers, bank account numbers, credit scores, limits, and balances) has launched the incident into much higher engagement numbers.
While there isn’t a national law detailing how long companies have from the time they’re made aware of the breach and when they need to disclose it to the public, Connecticut, Florida, Maine, New Mexico, Ohio, Rhode Island, Tennessee, and Vermont have laws with timelines ranging from 30 days to 90 days. And we’ve seen in the case of Under Armour, speed in notifying customers of security incidents may help quell wide-spread panic. Capital One’s story is still developing, but based on past events, here are a few things to note:
- Most companies push an initial statement to their website, with a quote or apology from the CEO
- Though in the case of Under Armour, it was Paul Fipps, their Chief Digital Officer
- Statements from the company are highly scrutinized on Twitter (particularly in the case of Capital One)
- This type of security incident isn’t a typical PR crisis, customers aren’t outing the company for data breaches, usually companies release statements first, then media picks it up and companies have already considered how they’ll respond
- Sensitivity of data hacked contributes greatly to the number of articles written and engagements, more so than the number of people affected it seems
- How long before the public is notified after the company learns of the breach also contributes to the level of controversy around the breach
If you want to track and compare different crises or receive real-time alerts as soon as a data breach is reported, check out NewsWhip Analytics.