Of Data and Airlines
A Crisis Poorly Handled
It’s both
what you say and how you say it that’s important. In a crisis, credibility and
empathy stand out as two of the most important factors – for stakeholders
believing you, and for the opportunity for reputational return.
Without
these in unison, your chances are pretty slim.
So that brings
me to an incident today.
Malindo
Air, and its data breach affecting potentially over a million customers –
customer names, addresses, phone numbers, passport details, dates of birth –
enough data to actually do some serious damage, especially in the wrong hands.
The story
broke online around lunchtime today, and was trending this afternoon for a
while.
On the
surface, it appears Malindo did the right things in containment … UNTIL … their
spokesperson murmured a few words, and their PR team released a Media
statement.
Then, CREDIBILITY
LOST.
As netizens
are getting angry at yet another failure to protect their rights with respect
to data; Malindo’s authorised representatives failed on two levels.
Malindo CEO
spoke to news media (South China Morning Post; quoted in other articles), and
admitted that they were aware of the issue as early as last week – so what
happened in the intervening days – when they could have reached out to affected
stakeholders – but chose to keep it hush-hush.
Their press
release today made it sound like they were just jumping to action regarding
this issue – yet the issue is already passed.
So, are
their stakeholders important to them?
Today’s
acknowledgement of the issue suggests not.
But let’s
delve further into their response mechanism – the media statement. This is the
one to me that really says that the stakeholders are marginal at best,
certainly not prioritised.
“Malindo
Air has put in adequate measures to ensure that the data of our
passengers is not compromised in line with the Malaysian Personal Data
Protection Act 2010”.
It’s all in
the choice of words. And I’m not impressed!
Words have
meanings beyond their written form – words have tone and texture too – which help
to construct depth of meaning. The choice of words used in the press release
signify that they are underplaying the issue, and have not prioritised this
concern for affected customers.
The tone of
the term adequate measures shows a very casual approach to the overall
issue for data protection, but also tries to put itself on top of the issue,
and contract itself out of the issue before an actual investigation is made.
The words are weak, and do not inspire confidence at this time, and offer no
reassurance to those impacted.
Media
statements in times of crisis need to be both factual and empathetic. This one
comes across as weak, evasive and condescending, and smacks of attempting to
evade responsibility for something that, regardless of cause, they have a
responsibility for. Not exactly trust-building or credibility-enforcing from
the written word perspective.
“We are in
the midst of notifying the various authorities both locally and abroad”. The
Borneo Post quote the CEO as telling the South China Morning Post that they
were aware of the issue last week; but … had only initiated an investigation
yesterday (Tuesday).
If this was
known about last week, why has this not already been done, but written in the
present tense as only just started after it went public today. A knee-jerk
reaction which doesn’t tally between the words of the spokesperson and the
official media statement released.
More like, “shit
happens; we’ll deal with it when the time is right”.
Key in
crisis management of any form is making sure everyone is working from the same
playbook – not sewing seeds of discontent by appearing to have different
versions of the story. Alignment between the CEO’s information and the Media
Statement issues should have been paramount.
And worse
still, no apology whatsoever.
Your fault
or not, it is always good to demonstrate some form of remorse or issue an
apology to those affected. Issuing an apology is not an issue of guilt, but a
connection of humanity which should be done at the earliest stages.
Not exactly
the endearing attitude or comforting words that one wants to hear.
____________________
Malindo’s
published Media Statement as below:
Petaling
Jaya, 18th September 2019 - Malindo Airways Sdn Bhd has come to be aware that
some personal data concerning our passengers hosted on a cloud based
environment may have been compromised. Our in house teams along with external
data service providers, Amazon Web Services (AWS) and GoQuo, our e-commerce
partner are currently investigating into this breach.
Malindo Air
has put in adequate measures to ensure that the data of our passengers is not
compromised in line with the Malaysian Personal Data Protection Act 2010. We
also do not store any payment details of our customers in our servers and are
compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).
We are in
the midst of notifying the various authorities both locally and abroad
including CyberSecurity Malaysia. Malindo Air is also engaging with independent
cybercrime consultants to investigate and report into this incident.
As a
precautionary measure, we would advise passengers who have Malindo Miles
accounts to change their passwords if identical passwords have been used on
their other services online. We will continue to provide further updates
through our website, mobile and social media platforms.
__________
Sources: https://www.focusmalaysia.my/Snippets/malindo-air-investigates-passenger-s-data-breach
www.malindoair.com
Sources: https://www.focusmalaysia.my/Snippets/malindo-air-investigates-passenger-s-data-breach
www.malindoair.com
No comments:
Post a Comment