Cyber attacks cost retailers millions and lessons from a ‘PR Nightmare’
Fallout from the historic Optus data breach continues to be acutely felt, with the full extent of the damage to Optus’ brand credibility as a result of the cyber attack unlikely to be known for months or even years to come. Meanwhile, consumers and retailers alike are warned to be vigilant as Black Friday events are predicted to see a rise in instances of online scam attempts.
Cyber security is, understandably, a hot topic in Australia currently following the hacking event suffered by telecommunications giant Optus in early September. The scale of the public response to the breach is matched largely only by the scale of the breach itself, with approximately 9.8 million current and former customers impacted.
The company’s story is nonetheless not as unique as many might believe. Take, for example, the data breach suffered by online food order and delivery platform DoorDash in late August. According to a statement on behalf of the company, certain data maintained by the platform was impacted as a result of the targeting of a third-party vendor by a “sophisticated phishing campaign”.
If you’ve spoken to your parents lately, you might already have an idea of what ‘phishing’ means, as cyber scammers increasingly target older generations via social media platforms such as Facebook where their demographic is overrepresented. But for those to whom the term is unfamiliar, ‘phishing’ might best be described as messages or correspondences designed to mislead a target into either revealing sensitive information or opening dangerous links through which hostile malware can target their data. This stated, you may well even recognise phishing attempts from your own inboxes.
For DoorDash, the third-party vendor engaged by the platform succumbing to this phishing attempt saw an unauthorised party gain access to the company’s internal tools, the result of a widespread phishing campaign believed to have targeted a multitude of other companies in recent months and years. To the benefit and credit of DoorDash, swift action on their behalf to respond to the cyber attack saw the potential damage greatly minimised and the company acting equally swiftly to better enhance its cyber security.
The response by Optus to its breach, in comparison, has been far more underwhelming – with the telecommunications company’s credibility already suffering as a result.
According to findings from Meltwater, a leading media intelligence and data analytics company, media reports concerning Optus saw a 25 percent spike in negative coverage following the data breach in addition to a drop of 13 percent in positive coverage. Having enjoyed an average negative to positive split before the breach of 18 percent positive to eight percent negative, the have scales tipped dramatically following the breach to sit at 33 percent negative versus only 5 percent positive.
This is thanks in no small part to what has been described as a ‘PR disaster’ on behalf of Optus following the event, from which valuable lessons can be drawn for businesses and business owners from all industries. Unlike DoorDash, Optus made no attempts to contact affected and potentially affected customers as a point of urgency, with a majority of those affected reporting having discovered news of the data breach from the media before receiving any contact on behalf of Optus directly.
“It is with great disappointment that I’m writing to let you know that Optus has been a victim of a cyberattack,” read an email from Optus to customers, sent days after the breach had occurred. The ‘PR Disaster’ was further compounded by a series of excuses and attempts at minimisation from Optus and its leaders, such as that implied in a written statement by Optus CEO Kelly Bayer Rosmarin, “Importantly, no financial information or passwords have been accessed. The information which has been exposed is your name, date of birth, email, and the number of the ID document you provided such as drivers license or passport number.”
Never mind that such information being breached sees victims drastically exposed to attempts at identity theft, arguably a more insidious and catastrophic crime that any individual might fall victim to.
Optus and Rosmarin further attempted to assert that the breach could not have been avoided, with Rosmarin saying in a taped statement, “I’m disappointed that we couldn’t have prevented it.”
This is in quite contrast to how the breach was described by Australia’s Federal Minister for Cybersecurity Clare O’Neil in an interview with the ABC on Monday, during which she said, “What is of concern for us is how what is quite a basic hack was undertaken on Optus. We should not have a telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen.”
The lessons are perhaps particularly important for retailers to learn now as they prepare for the months ahead, as the industry already fourth most targeted by financial cyber crime globally prepares for sales events such as Black Friday during which data suggests that the period leading up to these events see consumers and retailers alike subjected to an even higher volume of attempts to victimise them with scams and hacks online. This is with cybercrime, particularly ransomware attacks, already costing retailers millions of dollars.
In its ‘State of Ransomware in Retail 2022’ report, UK based security software and hardware organisation Sophos showed that the average cost for retailers to respond to successful ransomware and scam attacks was as high as US$1.97 million in 2021, with the number of retailers falling victim to ransomware attacks spiking dramatically in the same period. All told, 77 percent of retailers reported being hit by ransomware in 2021, up from 44 percent in the previous year – with 55 percent of retailers reporting a rise in instances of cyber attacks overall.
The risk and instances of cyber attacks reportedly see a further rise during periods leading up to sales events like Black Friday. In data released earlier this week, the UK’s Office for National Statistics (ONS) reported that half of all adults had received ‘phishing’ messages within the past month, with more than half of these reporting that the scammers had posed as a delivery company. Almost 30 percent, meanwhile, reported scammers taking the appearance of an e-commerce company or retailer.
With online purchases expected to pick up during sales events such as Black Friday and across the holiday period, the rise in phishing attempts taking the appearance of either delivery or e-commerce sees the risk posed to consumers increase dramatically. Simultaneously, as attempts at cyber crime become more advanced and sophisticated, the risk to retailers also only continues to increase in anticipation of busy shopping periods.
And as the ongoing story of Optus demonstrates, the financial ramifications of successful cyber crime attacks are not the only potential source of pain that retailers can suffer, with damages to brand credibility likely to be just as catastrophic.
With October marking Cyber Security Awareness Month, Power Retail will be continuing the story of cybersecurity, threats to the Retail industry and how businesses can prepare and safeguard themselves in the week ahead. This article is the second part of this mini-series, stay up to date as next week we look at cyber solutions and protections for retailers by subscribing to Power Retail’s newsletter today.
David Jones Announces Eastland Store Closure
David Jones has announced the closure of another physical store with the retailer optimising its network to ensure omnichannel efficiency.
Circonomy Opens Melbourne Recommerce Store
Circonomy has launched a second dedicated retail “recommerce” store, in Melbourne as the social enterprise continues to expand.
Seven Ecommerce Professionals Share Insights, Advice and Tips for Success
Season two of Power Retail Power Talks (sponsored by YouPay) has wrapped up and I've compiled key takeaways and insights from each of our seven guests.
Merged Mr Yum and me&u Reveal New Brand Identity
The F&B tech platforms will operate under the me&u name with a visual refresh combining the brand identities.