A cyberattack that exposed the personal information of more than 53 million people, including names, addresses, dates of birth, social security numbers and driver’s license information of current and previous customers was reported to T-Mobile, the US’s second-largest mobile service provider, on August 13. This is the fourth known data breach at T-Mobile since 2018.
On August 15, T-Mobile reported an investigation of a security breach was underway. On August 26, John Binns, a 21-year-old American living in Turkey, shared in an interview with the Wall Street Journal that he was the hacker behind the security breach. Binns described his entry point into the cellphone carrier’s data center and how he accessed more than 100 servers. Binns said, “… their (T-Mobile) security is awful.”
Fourteen days after becoming aware of the massive security breach, and one day after the WSJ interview, CEO Mike Sievert finally went public on August 27. Sievert stated, “We didn’t live up to the expectations we have for ourselves to protect our customers.” Sievert’s public post on the company’s website included news of T-Mobile’s plan to partner with two consulting firms to prevent future cybersecurity disasters, a two year offer of free identity protection services and instructions for resetting PINs and passwords.
Nowhere in his public statement did Sievert explain why the breached confidential personal information was not encrypted. Nowhere in his public statement did Sievert – as CEO – take personal responsibility for the security breach. Nowhere in his public statement did he acknowledge the inconvenience and potential pain his customers and former customers might suffer as a result of their private data being breached.
With 90 million customer accounts, the damage to the T-Mobile brand with this fourth breach in three years could be massive. The damage to Mike Sievert’s personal brand may also be massive. Time will tell.
Last week, the Federal Communications Commission announced an investigation into this latest T-Mobile failure. Two years ago after their data breach failure, $3.5 billion consumer credit reporting Equifax, entered into a $700 million settlement with US officials. With over $68 billion in revenue in 2020, what will be the fine T-Mobile will pay for their lapse of security?
At some point in time, every company faces a crisis. These are the moments that can define companies, brands and CEOs. Three steadfast rules should govern CEOs when mistakes are made and things go wrong. They are:
- When a crisis arises, the CEO must be front and center, seen as personally managing the crisis. While T-Mobile knew of the breach on August 13, it took two weeks, a day after the hacker went public, for Sievert to issue a public statement.
- When the crisis arises, the CEO has to acknowledge the issue and accept personal responsibility. When Sievert finally issued his public statement, he didn’t comment on the headaches and problems for millions who had name, address, SSN, date of birth and driver’s license numbers compromised. A statement on the company’s website two weeks after T-Mobile learned of the cyberattack, doesn’t cut it as a heartfelt personal apology to impacted customers.
- Most importantly, when crisis occurs, the CEO needs to overcorrect. When Johnson and Johnson experienced the Tylenol murders, the CEO pulled product and developed tamper-resistant packaging. When Wal-Mart experienced a fatal shooting in its El Paso, TX store, it stopped selling handguns and ammunition. What did T-Mobile do? They offered assistance on how to change your pin and password and a couple of years of identity protection service. Could something more financially meaningful for loyal customers be offered? A free month of service? A free phone upgrade? A generous gift card? Something meaningful to show “we care” to valuable customers.
The old adage about life, “It’s not what happens to you but how you react to it that matters,” holds true for CEOs and companies that stumble.
While Sievert whiffed on CEO rules 1 and 2 of crisis management, there’s still time to salvage rule 3 by overcorrecting. The window of opportunity is quickly closing. Will Sievert recover and handle T-Mobile’s latest crisis in a way that protects his company’s brand, restores confidence to customers and shareholders and bolsters his leadership?
Here’s an opportunity for Mike Sievert. It’s time to pivot. How about taking personal responsibility for the mess and recovery? How about providing a heartfelt, deep apology to those who have been affected? And how about overcorrecting by doing right by your customers? Following the three rules of crisis management will help Mike Sievert and his Team Magenta shift the story, boost stakeholder confidence and ensure this latest crisis doesn’t go to waste.