T 3.107 Damage to reputation

Security incidents may result in the reputation of the entire organisation being damaged.

Various types of security incidents can have direct effects, such as disclosure of confidential data or manipulation of financial data or even interruption of business processes for extended periods. If security incidents become public, this can result in the reputation of the affected organisation being damaged. Depending on the type and effect of a security incident this can undermine the trust of the public, the partners, the customers, but also the employees of the affected organisation.

Damage to reputation can not only be a result of security incidents caused by force majeure or external attacks, but can also be triggered by improper behaviour of employees, for example, by unsound activities in the Internet, sending of chain e-mails, security incidents resulting from ignorance or incorrect implementation of security rules (theft of laptop with customer data, including credit card details and overview of the orders of the past years).

Examples:

• An employee of a large company did not abide by the policies established by the organisation when using Internet services and repeatedly attracted negative attention in discussion groups due to an inappropriate tone. This not only provoked antipathy towards this person, but towards the entire organisation as the employee was perceived as a representative of his company due to her electronic business card. As a result the company became known as being presumptuous and not operating professionally. A special marketing campaign was required in order to restore the company's reputation.
• A field service employee lost an USB stick during a train journey without noticing. This stick contained an overview of all his orders of the past year including customer addresses, account details, and e-mail addresses. The data was not encrypted. The finder sold the data on the Internet. As a result, fraudulent debit transfers occurred with some customers. The subsequent police investigation revealed that these transfers were linked to the loss of the USB stick. This resulted in negative press reports and a major loss in confidence of partners and customers.
• Mid-December 2008 the chief editor of a big German newspaper received an anonymous parcel which contained confidential data of 130,000 customers of a bank. This included accounting statements of credit card customers, PINs for debit and credit cards, lists of cash flows, international debit transfers, and remittance transfers. The parcel also contained an invoice from a financial service company to the bank. The newspaper assumed that an insider wanted to raise awareness of the data protection problems and published corresponding reports. Other media took up the incident as a data scandal and pilloried the affected bank and the financial service company.
  
  After one week, it was revealed that the real cause of the incident were two courier drivers who were feeling peckish. In addition to many other parcels, their delivery van contained a parcel with a Christmas cake intended to be a present for the chief editor. The courier drivers devoured the cake and subsequently tried to conceal this by sticking the corresponding address label on a different parcel. By chance, this was the parcel with the bank customer data. The courier drivers got a small penalty, but the damage to the bank's image was tremendous.