BofA's Site Outage: PR Nightmare
Organizations Must Communicate to Keep Hack Rumors at BayI honestly felt a little sorry for Bank of America this week, as rumors of security breaches and cyberattacks continued to cycle. [See Bank of America Site Not Hacked.]
Problems with BofA's website surfaced last Friday, and for the next five days the bank struggled to keep at bay assumptions about what was causing the online hiccups.
Initially, $2.36 trillion BofA posted a message on its homepage, saying its online banking site was temporary unavailable. By Monday morning, the online snafus appeared to have been resolved, only to crop back up later that day. BofA blamed the sporadic site problems on an internal, back-end issue, one unrelated to any online breaches or attacks.
By Tuesday, the BofA website appeared to be functioning normally. And the bank again reiterated that the temporary outages it had suffered were linked to internal upgrades, not a hack.
But that did not seem to sway assumptions about a possible breach.
The timing of the online outage was questionable, coming just one day after BofA announced plans to start charging customers fees for debit-card purchases.
Some industry pundits suggested a denial of service attack could have been launched on BofA, a hacktivist group's reaction to the new debit fees. And speculation in the blogosphere and via popular social media outlets was not any less reactionary.
It's all just a reflection of the day and age we live in: When things go awry in cyberspace, our first notion is to assume some hacker or breach must be to blame.
"I think that's a natural assumption," says Gartner analyst Avivah Litan. "For hackers, BofA is at the top of the list, so it's natural to think it's a security glitch."
We assume the worst.
But not all online issues are the result of breaches or hacks. Websites do go down. It happens to businesses and organizations every day. It's just that when you're as big as Bank of America, everyone takes notice.
So how can organizations respond in a way that explains what happened without fueling suspicion?
It's a public relations challenge, one that requires established corporate culture to change.
The problem with proactive actions, says Andy Greenawalt, CEO and founder of Continuity Control, a New Haven, Conn.-based provider of web-based software for financial institutions, is that organizations don't want to instill panic in users who have not taken notice. But by not offering some public explanation to those users who do take notice, they run the risk of what BofA faced - a tidal wave of suspicion, which, in the end, takes more PR muscle to manage than being proactive in the first place.
"Organizations have to realize they must be hyper-transparent," Greenawalt says. "The old culture is, 'We're going to figure out what happened and then tell you.' But that's not the way things work anymore. You see these Web companies like Amazon that respond really fast, just to say there's an issue and they're addressing it. Big corporations like BofA are not used to doing that. But it's that kind of transparency that keeps some of these kinds of rumors at bay."
The difference lies in the communications cultures between corporations and younger, more tech-savvy companies.
In the end, I don't believe BofA was hacked. I think the bank is telling the truth. The online glitches were most likely linked to something internal or some interdependency with another online provider. But BofA, like so many other large corporations, could have handled its PR campaign a little differently.
"What they should have done is just said, 'Our online site is down or is running slow, but our ATMs and branches are alive and well,'" says Gartner's Litan. "It could have been an easy and truthful way to respond."
Perhaps we all can view the BofA outage as a reason to revamp communications strategies. It doesn't have to be complex, but it does have to be fast, proactive and transparent.