With this week’s news that Talk Talk CEO Dido Harding is leaving the firm, the biggest event in her career that comes immediately to mind is inevitably the company’s cyber attack crisis of 2015.

Sixteen months on, the disaster is probably not the reason she’s leaving – at least not directly or solely (although it’s interesting the firm’s share price went up on news of her exit). But it will, unfortunately for her, undoubtedly be most people’s lasting memory of her seven-year stint running the firm.

The company’s core problem, of course, was the cyber hacking itself. The third such attack to have hit the company in 12 months, it’s beyond doubt that Talk Talk didn’t have the right security in place, and for that Harding was surely responsible. The company’s share price fell 10% on news of the attack, and hasn’t yet recovered to pre-attack levels.

That aside, it’s interesting to look back at the effectiveness of Talk Talk’s – and Harding’s – crisis communications when the incident erupted.

Doing the right thing when disaster strikes and all eyes are upon you is always difficult, and I think Talk Talk’s response was a mixed bag.

A hugely positive point is they didn’t duck the issue. Harding took clear personal responsibility and gave numerous media interviews, including appearing on TV and radio.

She apologised in no uncertain terms, stressing that “protecting customers” was her top priority. She explained what practical measures customers should take to take to protect their security. She put the company’s problem in context of the “625,000 UK cyber crimes that occurred this summer alone”. She came across as human and sincere.

So often companies do the opposite – playing down the problem, shirking responsibility, avoiding an apology and showing no empathy. Over-zealous lawyers are frequently the culprit, advising corporate spokespeople to clam up to minimise any legal fall-out, with no thought for the company’s reputation (although bosses are to blame if they blindly follow such advice).

One of the most striking examples is Thomas Cook, as I’ve previously looked at here. The company’s leaders showed no care or responsibility when two children tragically died of a gas leak in one of its holiday properties. Its CEO only said he was “deeply sorry” a staggering nine years later, and only then when found responsible by an inquest.

Talk Talk responded a million times better than this.

But on the negative side for the company – and it’s rare that this happens – I think Harding was too forthcoming in her immediate communications.

The difficulty was that, in the hours that followed the attack, she didn’t have a great deal of information to go on. Harding was clearly deeply concerned and afraid of the worst, but she shouldn’t have said quite so much to reveal this before she knew more.

In any time of crisis, people need to see leaders take the situation firmly under control and instil calmness and confidence. Harding made herself visible and available but, in many ways, dramatised the issue, appearing to radiate not only a sense of proper concern but a feeling of panic.

She dramatically described the incident as “a significant and sustained attack” and talked on TV – with a poor choice of language – about her “fear” about what had happened.

She talked of customers’ “bank account details being stolen, which is what has happened”- before she knew that for sure.

She confessed “the awful truth is I don’t know” whether the data was encrypted.

She volunteered details about ransom demands from the supposed perpetrators before she knew if they were genuine.

The impression she gave – or at the very least allowed to emerge – was that all 4 million customers’ bank details were likely stolen, that the company had no grip on the situation and that it was a large-scale plot by organised criminals or terrorists.

In fact, it emerged shortly after, fewer than 1.2 million customers were affected, no bank accounts were at risk and the culprits were a bunch of teenagers who were “just showing off”.

So, Harding’s proactivity, honesty and humility were admirable and a breath of fresh air when company leaders too often duck responsibility. But, as far as Talk Talk’s reputation is concerned, she probably said too much too soon.

She could have been every bit as proactive, empathetic and responsible; yet stuck more calmly to the facts until she found out more.


See more on our crisis communications services. And click here to register for our blog posts and news.