Incident Response Matters
When the social media management and sharing site Buffer was hacked over the weekend, it seemed like yet another embarrassing hack. "The incursion is no doubt a major black-eye for the upstart Buffer," wrote David Berlind at Programmable Web. "[Buffer CEO Joel] Gascoigne has entered the dreaded damage-control zone that no start-up CEO wants to be a part of."
Mon, October 28, 2013
CSO — When the social media management and sharing site Buffer was hacked over the weekend, it seemed like yet another embarrassing hack. "The incursion is no doubt a major black-eye for the upstart Buffer," wrote David Berlind at Programmable Web. "[Buffer CEO Joel] Gascoigne has entered the dreaded damage-control zone that no start-up CEO wants to be a part of."
I think David's post is an absolutely excellent overview of some of the realities and politics faced by developers when dealing with Twitter and Facebook (and by extension, other API providers), and I also think that his post accurately summed up the general risks faced by Buffer and Gascoigne.
I am going to disagree, though, that it was necessarily a black eye.
In this incident, Buffer showed that its concept of "radical transparency" -- the concept and strategy that leads to the firm placing its revenues and other key metrics online, for all to see -- has made the company look sensational.
Obviously, the reports and post-incident audit results aren't in yet, and we could yet find out that Buffer did something really stupid. Its statement of, "We've increased security for how to store Twitter tokens and deployed a fix," goes directly to my Raised Eyebrows Department. Last night I asked for a clarification from Buffer and got back (understandably, since they were hip-deep in the ca-ca) a, "We will get back to you," Tweet.
But even if the firm did something monumentally stupid, it's not necessarily a death-knell. People forgive even monumental stupidity if properly and genuinely apologized for.
In fact, even more serious breaches don't always make the company lose momentum, customers or shareholders. Consider the case of TJX, which discovered in January 2007 that it had been breached for years, lost millions of customer credit card records, and was in violation of laws and industry rules. TJX had done so many things wrong in so many different areas of its IT that it is frankly amazing to me they manage to ever scrape together the brain cells required to get good deals on Roberta Gandolfi anything.
The company's stock price took an initial hit of about a dollar a share but soon recovered, and over the next year -- in the face of disclosure after embarrassing disclosure, the stock price rallied and steadily rose.
TJX had managed to demonstrate two things: first, that it was reasonably working to understand and solve the problem, and second, that its customers loved it. Even though I believe that Buffer's handling of this incident indicated that the company not only dodged a bullet, but may well emerge stronger for it. And they did it without being weasels.