The spotlight seems to be off the iPad data breach story for now, which might suggest that that unsettling occurrence will join so many other sundry disasters in the endless log of yesterday's corporate crises. Actually, there are good reasons to expect that the event will generate more coverage, if not further front-page headlines, in the months ahead. Moreover, it should generate such additional attention, because there is much to be learned from the story. As you'll recall, AT&T ( T) has since mid-June taken pains to appease customers in the aftermath of a breach involving Apple's ( AAPL) watershed iPad 3G, which AT&T networks. The breach occurred when hackers gained access to AT&T SIM card serial numbers for the iPad 3G along with corresponding e-mails. The breach affected not just consumers but also U.S. senators as well as Department of Justice, FCC, and NASA officials. A central player is Goatse Security, a "security firm" actually run by the hackers responsible for compromising the iPad. Goatse sent a list of exposed email addresses -- not to the government or to AT&T -- but to a blogger site called Gawker.com. Goatse claims its purpose was to warn the public. Despite the national security implications, it's still not certain if, as of this writing, anyone really knows the extent of the damage. AT&T has assured the public that no further data was compromised and the original problem completely solved. Meanwhile, the FBI is investigating and observers expect the Bureau to take punitive action against Goatse, which is one good reason to anticipate that this story is by no means over. The event certainly merits ongoing reflection. Beyond the specifics, there are dynamics at play with far reaching implications on at least three levels -- as a crisis management playbook; as an example of how risk management now operates in the technology industry; and, perhaps most important, as a bellwether of social responsibility in the digital age.
AT&T's crisis management strategy has come under some question. Respected bloggers quickly pointed out that six days elapsed before AT&T disclosed the breach, which the company said it learned of on June 7. Lesson No. 1 is all about the fullest disclosure possible as soon as possible. Speed is important under any circumstances for companies that expect to control their own stories in a crisis. When public security (or safety or health) is involved, speed is the obvious strategic gold standard as every single stakeholder has a personal reason to want all the facts and right away. When in 2009 Heartland Payment Systems, one of the nation's leading processors of credit and debit card payments, was hacked in what the DOJ believed to be the largest ever security breach up to that time, the company disclosed everything that was known about the event immediately upon getting a green light to do so from the investigating authorities. On the day of the disclosure, the company's CFO held 30 one-on-one interviews with reporters from major newspapers, newswires, and trades. Within the first five days, they spoke to their 175,000 customers. The way was paved, not only for Heartland to survive the short term, but to prevail as an industry innovator in the longer term. During the AT&T crisis, bloggers also commented that customers may be wondering when the apologies will stop and credible remediation begin. For companies in any industry, "apology exhaustion" is now an issue in a world where everybody seems to be apologizing for something. Apologies always work best when accompanied by pledges to reform or remediate. It's how growing public cynicism about corporate penitence can be best addressed. Lesson No. 2 is therefore all about actions speaking louder than words. It's important enough to reassure customers that their information is now safe, but consumers have no particular reason to trust that the same mishaps won't recur. The more you underscore corrective future initiatives, the more confidence you restore to the brand. Particularly interesting, one high-authority blogger tasks AT&T for attacking Goatse, advising AT&T: "Don't apologize about a security breach and then try to downplay it because of malicious hackers."
This criticism strikes us as unfair as we're actually talking here about a crisis management best practice (even, in this case, had the CEO of Goatse not also been arrested on unrelated drug charges). Under such circumstances, there is a fine line to walk. Lesson No. 3: Assume responsibility to the extent that you bear responsibility, and cast villains to the extent that villainous deeds were committed by outsiders. There is also a specific and powerful lesson here for risk managers in the technology industry. To reduce costs, companies now send more data "into the cloud," striking diverse collaborations with other companies big and small. When they do so, they must exercise significantly more assiduous due diligence to assess if the risks involved are acceptable. What's interesting is that the secondary party really assumes the lion's share of risk. In this case, AT&T has been the piñata and Apple escaped relatively free of public censure. A final, historically significant dimension of this story is the ambivalent public response to Goatse. One high-authority blogger even invited readers to take comfort in Goatse's assurance that the breach was not a "flat-out disaster," as if Goatse ought to be the operative authority here. "It can be debated if Goatse Security has handled this in the best way possible," concedes the blogger. Readers posted comments sharing that ambivalence. The digital media have so potently assumed the role of a self-referential tribunal that the entire data breach was confined to Internet exchanges among sites until the government got involved. In this space there are sometimes different rules to follow. The revolutionary impact of the Internet, and the overpowering pageantry with which it molds public discussion, is indeed intoxicating and, under its influence, it can be easy to forget that hackers are also criminals. In this case as in others, though, it's not something the FBI is likely to forget.