Optus writes a new chapter in the crisis handbook
Welcome to a midweek edition of Unmade.
Unmade’s paying members received this email 90 minutes before everyone else. That could be you.
How could so much go wrong for a brand in just a week?
The leak of Optus’s customer database, revealed last Thursday, was a disaster in itself, but in the days that followed, the company’s crisis has got worse.
This morning’s front page of the Sydney Morning Herald website spells out just how bad things are for the company, and its CEO.
It’s a perfect storm, tangling brand, PR and government relations, both federal and state.
Just as communications professionals still talk of Qantas’s handling of the 2010 QF32 emergency as a masterclass of crisis communications, Optus will likely be an example discussed for a decade too. The lessons may be harder to learn.
Before we go back to the week that just unfolded, the point is worth making that large companies facing predictable crises should already have a playbook written. For Optus, that seems to have been missing, despite the fact that it knew the risks.
One of the legal requirements of being a listed company is that the board needs to consider and disclose the risks it might face. In the case of Optus, owned by the conservative, Singapore-based Singtel, it’s all there on page 82 of the company’s 2021 annual report. Talk about foreshadowing:
Right down to the risks of customer backlash, litigation, and fines, it was all written down.
In fairness, that was just one of many risks identified in that annual report. While Optus executives do go through PR crisis simulations, they’ve previously been focused on what seemed the more likely scenario of a widespread network outage. Remember Vodafone’s Vodafail?
Putting aside the data leak itself, one of the reasons Optus now finds itself in such difficulties is because of how the news agenda unfolded in the days that followed. Could that be different if Optus had made different communications choices? There were a number of moments where the trajectory might have changed.
Early in the process, the company described the leak as being as a result of a “sophisticated” attack. When a contradictory version of events began to emerge, suggesting Optus had effectively left a back door open, CEO Kelly Bayer Rosmarin struggled how to address that in media interviews.
PR advice for brands in such circumstances is usually to take responsibility; debating the finer points looks slippery. Better perhaps to take the approach from the beginning the the brand accepts full and unequivocal responsibility until it understands better what has occurred.
Optus has also made conventional PR moves which created more backlash nonetheless. When experiencing this sort of issue, brands are often advised to position themselves as being the victim (for want of a better word) rather than perpetrator. In Optus’s case nobody was buying it.
Perhaps it was clumsiness in executing that tactic.
A low point came in a live radio interview with Sydney radio station 2GB, given by director of corporate affairs, regulatory and public affairs Sally Oelerich. Unfortunately, when the case studies are written this will be a good example of what not to do. It’s worth following the link above to listen to the interview, which 2GB lists on its site as “a trainwreck”.
It’s rarely a good idea to put up a comms person as a spokesperson for a brand ahead of the CEO, and certainly not on live radio - doubly so on a tough station like 2GB.
Oelerich seemed to get bogged down in the fact that she was herself an Optus customer who had her details leaked. Revealing that might have worked as a single point, to show empathy with other customers that she understood their concerns, but she was there to speak for Optus and seemed unwilling to do that when questions were put in that way. She also seemed to have a poor understanding, or to be unable to articulate, what had happened and how the brand was handling it. Not everyone is a radio natural, particularly under pressure - but if you’re not, somebody who is better at it needs to do it.
I am also surprised that a week on, the company is yet to use advertising to make its apologies. In the past, it’s done a good job in articulating its contrition for less damaging previous blunders like the #Floptus World Cup streaming problems on the Optus Sport app, back in 2018.
I understand that getting the tone correct is difficult when the public have opinions on how much Optus is to blame compared to the hacker, but sometimes doing nothing is not a neutral option.
It helps to apologise loudly, and on your own terms. In the noise, it will have been lost to some that CEO Bayer Rosmarin did say sorry during her interviews. I must admit, I had to go back and check, and I bet I’m not the only one who missed it. Advertising can help address that. When the news stories are not telling it how the brand would wish, long copy ads are a counterbalance. The best time to start running them would have been last Saturday. The second best time is now.
Routine marketing will go on the back burner for a while. Expect promotions, but nothing in the way of big brand building for some time. We won’t be seeing much from the expensive ambassadors Ash Barty as Chief of Inspiration and Daniel Ricciardo as Chief of Optimism.
It’s such a pity when it felt like the brand had real momentum as a proper challenger to Telstra.
Another decision which will be reviewed down the track is whether the company made the correct call in emailing its customers in batches, based on how likely they were of having important ID documents exposed. As a result there are plenty of the 11m people on its database who are even yet to have received a direct communication.
However, simply sending an email blast to 11m at once is trickier than it may seem. I’m not sure there are email platforms capable of that.
The company is also unfortunate in the timing of the crisis, so soon after new ministers took on the technology portfolio with the change of federal government.
When it really needed support from within government, Optus instead ended up in a battle with Home Affairs and Cyber Security Minister Clare O’Neil over the question (which should ultimately have been a side issue) of whether it was or was not a sophisticated attack. O’Neil is Australia’s first cyber security minister and was only appointed back in June.
With as inflammatory an issue as this, the federal government was not going to provide Optus with any air cover at the expense of dragging itself into the firing line. I suspect that there had not been time before the disaster to develop a working relationship between Optus and O’Neil’s office. While that may be a failing of the public affairs team, it’s also not uncommon when governments change and portfolios are shuffled.
The public affairs team has more questions to answer about the strategic blunder of getting into an argument with O’Neil about the sophistication of the attack than they do the tactical mistake of the 2GB interview.
It was also a bad look to fail to be clear from the start about whether Medicare details had been breached too. If the company knew this earlier and did not disclose it, it again looks slippery.
The fact that the question of issuing new driving licences - and who will pay for them - devolves to a state level just adds to the public affairs tangle of talking on back channels to multiple state governments.
Down the track, it will be interesting to see if reporting lines stay the same internally at Optus At present there are different reporting lines for the marketing team and and the communications team.
Andrew Sheridan, VP of regulatory and public affairs at Optus, reports in to former NSW premier Gladys Berejiklian who was named as MD of enterprise, business and institutional back in February. Berejiklian has so far avoided putting her head above the parapet in the debacle.
Meanwhile VP of marketing Melissa Hopkins reports through to a seperate managing director in Matt Williams.
With that org chart, I’m not sure who - other than the CEO - would have been responsible for drawing up a playbook across the organisation for this sort of event.
There’s a growing argument that the lines between marketing and communications are now so blurred that they should both go into the same place in any brand.
Admittedly that’s difficult in highly regulated spaces like telcos and banks, but perhaps the answer is to have communications report through to the CMO, and leave public affairs and regulatory as a seperate discipline.
Optus is some way from being through this, even if the hacker (who does seem to be a kid based on the fact that, Austin Powers style, he or she only wanted one million dollars in ransom) is telling the truth about now deleting the database
The company is so far refusing to say whether it paid the ransom or not. The reason it gives for that is because of the criminal investigation, but again it risks looking slippery. One way or another, it needs to find a way of getting that information into the public domain.
Meanwhile, potential class actions will keep the case in the courts and the public eye for years to come. It may also be a trigger for further data protection legislation. the drum is now beating louder for something on as large a scale as Europe’s GDPR.
What I don’t detect is any glee from competitors. There is a sense that it could happen to any brand. Few CMOs are close enough to the technology to truly understand whether their brand really does have the security locked down - they have to cross their fingers and rely on other departments for that.
With cases like this, it’s easy to assume from the outside that the people inside have been idiotic. The facts are usually more complicated.
Unmade Index: Another day, another dip
Yesterday was another (slight) down day on The Unmade Index of ASX-listed media and marketing companies, albeit less of a fall than the previous three. The index now sits at 640.6, 36% down for the year to date.
Tuesday’s big faller was The Market Herald. However the company is likely to see some fluctuations this week as the new shares it issued at a discounted price of 34c to buy Gumtree, Carsguide and Autotrader begin trading. I’ll be interviewing TMH’s CEO Jag Sanger in tomorrow’s podcast.
Time for me to run. I’ve a quick three day trip to Perth coming up. I’m easily manipulated by behavioural economics, and need to score 1650 Qantas points before Friday. Hit me up on email@example.com if you’re in WA and want to buy me a coffee.
Have a great day.