Skip to main content

Data Breaches and Effective Crisis Communication: A Comparative Analysis of Corporate Reputational Crises

Abstract

Online data breaches are recurrent and damaging cyber incidents fors organizations worldwide. This study examines how organizations can effectively mitigate reputational damages in the aftermath of data breaches by hacking, through situational crisis communication strategies. Comparable data breach crises do not have an equally negative impact on organizational reputation. Base responses such as comprehensive and exhaustive guidelines, and detailed explanations about the incident to consumers helped to reduce the damage. Corporations responding to data breaches by hacking benefit from admission of responsibility in spite of the initial characterization of such crises as victim crisis types. Organizations that primarily relied on one single strategy, performed better than those that inconsistently blended strategies. Particularly denial was ultimately detrimental to organizational reputation. Self-disclosure allowed companies to positively influence media reporting. Social media communication did not play an important role in the response of the organizations involved. The consistent and timely adoption of compensation, apology, and rectification strategies, combined with reinforcing strategies such as ingratiation and bolstering, positively influenced reputational recovery from the crisis.

This is a preview of subscription content, access via your institution.

References

Download references

Funding

No funding

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Sanneke Kuipers.

Ethics declarations

Conflict of interest

The authors have no conflicts of interest to report.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix 1: Press Releases

Number References Date (d/m/y)
PR1 Anthem, 2015a 05/02/2015
PR2 Anthem, 2015b 06/02/2015
PR3 Anthem, 2015c 13/02/2015
PR4 Capital One, 2019a 29/07/2019
PR5 Capital One, 2019b 23/09/2019
PR6 Equifax, 2017a 07/09/2017
PR7 Equifax, 2017b 02/10/2017
PR8 The Home Depot, 2014a 18/09/2014
PR9 The Home Depot, 2014b 06/11/2014
PR10 Global Payments, 2012a 30/03/2012
PR11 Global Payments, 2012b 01/04/2012
PR12 Global Payments, 2012c 12/06/2012
PR13 Target, 2013a 19/12/2013
PR14 Target, 2013b 20/12/2013
PR15 Target, 2013c 20/12/2013
PR16 Target, 2013d 21/12/2013
PR17 Target, 2013e 23/12/2013
PR18 Target, 2013f 24/12/2013
PR19 Target, 2013g 27/12/2013
PR20 Target, 2013h 10/01/2014
PR21 Target, 2013i 03/02/2014
PR22 TJX, 2007a 17/01/2007
PR23 TJX, 2007b 21/02/2007
PR24 SONY, 2011a 26/04/2011
PR25 SONY, 2011b 03/05/2011
PR26 SONY, 2011c 04/05/2011
PR27 SONY, 2011d 05/05/2011

Appendix 2: Media Sources by Case

Target
Washington Post TG1 Timberg et al Target says 40 million credit, debit cards may have been compromised in security breach 2013/12/19
TG2 Tsukayama Target data breach: what you should know 2013/12/19
TG3 Yang et al Target says up to 70 million more customers were hit by December data breach 2014/01/10
TG4 Jayakumar Target breach: What you need to know 2014/01/10
TG5 Tsukayama Target says customers signing up for free credit monitoring after data breach 2014/01/13
TG6 Jayakumar Target tries to reassure customers after data breach revelations 2014/01/13
TG7 McGregor Target CEO opens up about data breach 2014/01/13
TG8 Douglas Target breach could represent leading edge of wave of serious cybercrime 2014/02/09
TG9 Jayakumar Data breach hits Target’s profits, but that’s only the tip of the iceberg 2014/02/26
New York Times TG10 Harris A Sneaky Path Into Target Customers’ Wallets 2014/01/17
TG11 Editorial Preventing the Next Data Breach 2014/01/25
TG12 Perlroth Heat System Called Door to Target for Hackers 2014/02/05
TG13 Harris et al Target Missed Signs of a Data Breach 2014/03/13
TG14 Harris Target Had Chance to Stop Breach, Senators Say 2014/03/26
Usa Today TG15 Eversley Target confirms massive credit-card data breach 2013/12/18
TG16 Snider Target data breach spurs lawsuits, investigations 2013/12/22
TG17 Malcolm Target: Data stolen from up to 70 million customers 2014/01/10
TG18 Prah Target's data breach highlights state role in privacy 2014/01/16
TG19 Kratsas Reports: Target warned before data breach 2014/02/14
TG20 Malcolm Target sees drop in customer visits after breach 2014/03/11
Wall Street Journal TG21 Sidel Target Hit by Credit-Card Breach 2013/12/19
TG22 Ziobro Target Breach Began With Contractor's Electronic Billing Link 2014/02/06
TG23 Langley Inside Target, CEO Gregg Steinhafel Struggles to Contain Giant Cybertheft 2014/02/18
TG24 Ziobro Target Earnings Slide 46% After Data Breach 2014/02/26
SONY
Washington Post S1 Tsukayama SONY got hacked; what should I do? 2011/04/27
S2 Tsukayama FBI looks into SONY’s PlayStation security breach 2011/04/29
S3 Tsukayama Cyber attack was large scale, SONY says 2011/05/04
Financial Times S4 Palmer SONY faces lawsuit over PlayStation hack 2011/04/28
S5 Brown SONY scrambles to limit hacking scandal 2011/05/03
S6 Menn et al SONY faces fury over data delay 2011/04/27
S7 Bradshaw SONY chief in PlayStation hack apology 2011/05/06
New York Times S8 Schiesel PlayStation Security Breach a Test of Consumers’ Trust 2011/04/27
S9 Bilton et al SONY Says PlayStation Hacker Got Personal Data 2011/04/26
Forbes S10 Noer SONY Response to PlayStation Security Breach Abysmal 2011/05/04
TJX
Washington Post TJX1 Nakashima Customer Data Breach began in May 2005, TJX says 2007/02/22
New York Times TJX2 Dash, Data Breach Could Affect Millions of TJX Shoppers 2007/01/19
TJX3 Dash, Retail security breach may be biggest in U.S.—Business—International Herald Tribune 2007/01/19
TJX4 Stone et al TJX Says Customer Data Was Stolen 2007/01/18
Wall Street Journal TJX5 Sidel TJX Data breach poses woe for bank 2007/01/19
TJX6 Pereira Wide Credit-Card Fraud Surfaces in TJX Hacking 2007/02/25
TJX7 Pereira How Credit-Card Data Went out wireless door 2007/05/04
Global Payments
Washington Post GP1 Tsukayama FAQ: The Global Payments hack 2012/04/02
New York Times GP2 Silver-Greenberg et al MasterCard and Visa Investigate Data Breach 2012/04/01
GP3 Silver-Greenberg After a Data Breach, Visa Removes a Service Provider 2012/04/01
Wall Street Journal GP4 Sidel et al Data Breach Sparks Worry Hack Attack at Card Processor Compromises Potentially Thousands of Accounts 2012/03/29
Forbes GP5 Trefis Team Global Payments Data Breach Exposes Card Payments Vulnerability 2012/04/03
GP6 Kosner Massive Credit-Card Breach of Estimated 10 Million Accounts 2012/03/31
The Home Depot
Washington Post HD1 Peterson The Home Depot breach put 56 million payment cards at risk 2014/09/18
New York Times HD2 Creswell et al Ex-Employees Say The Home Depot Left Data Vulnerable 2014/09/19
Forbes HD3 Vinton With 56 Million Cards Compromised, The Home Depot's Breach Is Bigger Than Target's 2014/09/18
Wall Street Journal HD4 Sidel The Home Depot's 56 Million Card Breach Bigger Than Target's 2014/09/18
HD5 Banjo The Home Depot Hackers Exposed 53 Million Email Addresses 2014/11/06
Usa Today HD6 Winter The Home Depot hackers used vendor log-on 2014/11/06
Anthem
New York Times A1 Abelson et al Millions of Anthem Customers Targeted in Cyberattack 2015/02/05
A2 Abelson et al Anthem Hacking Points to Security Vulnerability of Health Care Industry 2015/02/06
A3 Abelson et al Data Breach at Anthem May Forecast a Trend 2015/02/06
A4 Bernard Protecting Yourself From the Consequences of Anthem’s Data Breach 2015/02/05
Wall Street Journal A5 Mathews et al Health Insurer Anthem Hit by Hackers Breach Gets Away With Names, Social Security Numbers of Customers, Employees 2015/02/04
Usa Today A6 Weise Millions of Anthem customers alerted to hack 2015/02/05
A7 News source Anthem/Blue Cross-Blue Shield hit with cyber attack 2015/02/05
A8 Weise First lawsuits launched in Anthem hack 2015/02/07
Equifax
Washington Post E1 Merle Outrage builds after Equifax executives banked $2 million in stock sales following data breach 2017/09/08
New York Times E2 Bernard et al Equifax Says Cyberattack May Have Affected 143 Million in the U.S 2017/09/07
Wall Street Journal E3 Andriotis et al We’ve Been Breached: Inside the Equifax Hack 2017/09/18
E4 Rapoport et al States Push Equifax to Explain Why It Took 6 Weeks to Disclose Hack 2017/10/28
E5 Loder A Warning Shot on Equifax 2017/10/06
Usa Today E6 Weise Equifax web snafu another reminder to protect your credit info 2017/09/08
E7 Guynn Equifax says it was not breached again, but vendor on site served 'malicious content 2017/12/12
E8 Mccoy et al Equifax CEO retires amid cyberbreach fallout 2017/09/26
E9 Dastagir Equifax data breach: How to freeze your credit 2017/09/09
E10 Weise et al Equifax's struggle after massive security breach 2017/09/11
Capital One
New York Times C1 NYT Capital One Data Breach Compromises Data of Over 100 Million 2019/07/29
Wall Street Journal C2 Hong Capital One Reports Data Breach Affecting 100 Million Customers 2019/07/30
C3 Rudegeair et al Capital One Hack Hits the Reputation of a Tech-Savvy Bank 2019/07/30
Usa Today C4 Tyko Capital One suspect indicted by federal grand jury on wire fraud and data theft charges 2019/08/28
C5 Baig et al Capital One data breach: What's the cost of data hacks for customers and businesses? 2019/07/30
C6 Telford et al Here’s how to make sure you’re safe after the Capital One hack 2019/07/30
C7 Siegel Capital One looked to the cloud for security. But its own firewall couldn’t stop a hacker 2019/07/30

Appendix 3: Codebook Organization’s Crisis Response Strategies

The operational definitions adopted to create to codebook have been extracted from the works of Coombs and Holladay (2010), Liu (2010) and Coombs (2007a).

Code Code Name Operational Definition Example
DENY Ignore To implicitly deny a crisis by refraining to respond Initially TJX dismissed the inflammatory claims: “We're not commenting about what others are saying about the situation” [TJX6: 1]
Suffering Proactively assume the role of the victim in regard to the events of the crisis “In the last few months, SONY has faced a terrible earthquake and tsunami in Japan. But now we are facing a very man-made event – a criminal attack on us” [PR25]
Scapegoat To shift the responsibility for the events towards an external party “Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.” We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.” [PR27] “Hackers, after all, do their best to cover their tracks” [PR25]
DIMINISH Justification To minimize the impact or the proportions of the crisis event “The data breach did not involve our merchants or their relationships with their customers” [PR11]
“There have been very few reports of actual breach” [PR13]
Deny Volition To minimize responsibility for the event or its derivates by asserting lack of control over its occurrence “Given the nature of the breach, the size and international scope of our operations, and the complexity of the way credit-card transactions are processed, [The response] is, by necessity, taking time” [PR22]
REBUILD Apology To make amends for the misconduct that enabled the outbreak of the crisis “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened, I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right” [C2]
Compensation To offer an indemnification to the victims in order to repair damages inflicted Identity Theft Repair Assistance: Should a member experience fraud, an investigator will do the work to recover financial losses, restore the member’s credit, and ensure the member’s identity is returned to its proper condition. This assistance will cover any fraud that has occurred since the incident first began. [PR3]
Rectification To demonstrating full commitment to preventing future recurrences of the crisis “Safeguarding our customers' information is essential to our mission as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses” [PR4]
RECTIFY Ingratiation To commend stakeholders and customers on their support and loyalty towards the organization “We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable” [PR25]
Bolstering To draw on past merits and achievements obtained by the organization to offset the negative consequences of the crisis “We pride ourselves on being a leader in managing and protecting data” [PR7]

Appendix 4: Codebook Media Coverage

Based on Eisenegger (2004), cf. Cravens et al. (2003), Eisenegger and Imhof (2008), Formentin (2010), Ki and Nekmat (2014), and Weverbergh and Vermoesen 2020.

Code Positive Negative Neutral
Description Positive statements within a publication distance the organization from the causal chain of events, reduce the degree of attributed responsibility and crisis severity, or portray appreciation for its performance history, e.g., statements that portray the organization as victim, statements that praise the organization performance before, during and after the crisis, statements that minimize the impact of the crisis Negative statements within a publication portray the organization as directly responsible for the events, increase the degree of attributed responsibility and crisis severity, or portray disapproval for its performance history, e.g., statements that address the organization as responsible for the crisis, statements that criticize the organization performance before, during and after the crisis, statements that emphasize the impact of the crisis Neutral statements within a publication describe the organization navigating the crisis or the crisis itself, but do not convey information on the role played by the organization within the crisis or do not qualitatively portray its involvement in terms of attributed responsibility. This also includes informative statements about the event that do not address the organization’s role in the crisis
Example Its decision to reveal the attack days after its discovery, even as the investigation is getting under way, may signal a changing attitude among corporate executives about rapid disclosures in the wake of breaches of companies”. (A5) “Equifax's struggle to deal with the fallout from a massive security breach is growing as lawmakers are asking questions about what happened and more consumers are lawyering up”. (E6) “Federal law requires health-care companies to inform consumers and regulators when they suffer a data breach involving personally identifiable information, but they have as many as 60 days after the discovery of an attack to report it.” (A5)

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kuipers, S., Schonheit, M. Data Breaches and Effective Crisis Communication: A Comparative Analysis of Corporate Reputational Crises. Corp Reputation Rev 25, 176–197 (2022). https://doi.org/10.1057/s41299-021-00121-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1057/s41299-021-00121-9

Keywords

  • Crisis communication
  • Data breach
  • Cybersecurity