‘Brands face reputation risk over Heartbleed for not contacting users directly’

Brands implicated by the Heartbleed bug discovered earlier this week, which has left half a million sites vulnerable to leaking sensitive information about their users to hackers, are at risk from reputational damage by not communicating users directly to say they have been implicated.

Heartbleed logo
Internet companies have not moved fast enough to contact customers directly to address their concerns about the Heartbleed bug, experts say.

The impact of the software flaw has been described by the security community as “catastrophic”, with information previously thought as safe behind an OpenSSL encryption product – such as users’ passwords, banking details and private messages – all potentially open to hackers to steal.

It is understood that the true implications of the Heartbleed bug may only be discovered over the next two to three months when a company could be exposed for failing to fix the issue on their website or when it is revealed that hackers took advantage of leaks ahead of fixes.

Sites affected are understood to include Yahoo and its blogging site Tumblr, Facebook, Google, Dropbox, Soundcloud and OKCupid, among others.

All these brands have responded to comment requests from press about the problem and have said they have undertaken a fix, but the majority of those affected have not contacted users directly since Heartbleed was first revealed on Tuesday (8 April).

Tumblr is one of the few brands implicated to inform its users directly as to what they should do in order to protect themselves. On 8 April it penned a blog post telling users “this might be a good day to call in sick and take some time to change your passwords everywhere”, adding that it had found no evidence of a breach and took immediate action to fix the issue.

The importance of contacting users directly

Andrew Rose, principal analyst for Forrester’s security and risk practice, says brands that have not reacted rapidly to the Heartbleed bug by communicating consumers directly could face a “reputational challenge”.

He adds: “If I were one of those brands affected I would be trying to get it fixed as soon as possible. And write to users saying that you are looking at it [and explain the fact that] there is no way for the organisation to check if information has leaked.

“It’s Incident Management 101: to communicate with your users as much as possible and to be honest – but I’ve not yet had any brand contacting me saying they’re affected.”

One of the key drivers of reputation is openness and transparency, according to the Reputation Institute’s executive partner Kasper Ulf Nielsen, which he says internet companies caught up in the Heartbleed storm are currently not displaying.

He adds: “It seems many companies are not fully aware of what’s expected of them, saying that if we don’t talk about it, it’ll go away, but that’s the wrong strategy and these companies need to do a much better job of addressing it and building their reputations as a trusted partner as their product is also that they keep our information safe.”

Ulf Nielsen uses the analogy of the pharmaceutical industry, which would have a life or death imperative to inform customers if something went wrong, as an example of what internet companies must do now.

“Would a statement on TV do anything to help me as a user? No. To me it’s about engaging with users in a one to one conversation, which they’re not doing,” he adds.

Mixed messages

On the other hand, PRCA communications director Matt Cartmell, was sympathetic with the issues surrounding internet companies at this time. He added: “The complexity of the issue and its effect on users takes time to understand. Facebook seems to have responded well by announcing that it had added protections before the issue had even come to public light. Google likewise have been accurate and decisive, explaining which services were vulnerable and that they have been patched.”

Meanwhile, there have also been criticisms from the security community about the contradictory advice from firms such as Yahoo and media outlets like the BBC encouraging users to change their passwords now in an attempt to eliminate the risk of their details being compromised.

Mark Schloesser, security researcher at IT company Rapid7, told The Guardian he would advise users not to change passwords for a few days to ensure companies have made the necessary fixes.

The strength of the Heartbleed brand

Despite the criticisms levied at internet companies for a mixed communications approach, one marketing upside has been identified from the Heartbleed fall out: the Heartbleed brand itself, which was created by the member of Google’s security team and software firm Codenomicon who discovered the bug and went on to create a logo and the Heartbleed.com website.

Patrick McKenzie, founder of Kalzumeus Software, wrote in a blog post entitled ‘What HeartBleed Can Teach The OSS Community About Marketing’: “Heartbleed is much better marketed than typical for the OSS community, principally because it has a name, a logo, and a dedicated web presence.

”Unique names (and “Heartbleed” is unique, given that you’d be hard pressed to find any mention of it which predates the vulnerability) are useful for communicating shared concepts between people.”

To date none of the reputations of the internet brands associated with the Heartbleed flaw appear to have been negatively affected, according to data from YouGov’s Brand Index. Of those implicated, only Google’s reputation score has dropped (by 2.2 points to 28.5), according to the latest data from 9 April, compared with the week prior. But that could soon change if brands do not continue dialogue through the unclear or bad times, as well as the good times, according to Ulf Nielsen.