I hate writing this, because I don’t want to inspire more PR people to sweep rampant security breaches under the rug. But someone has to call out how organisations protect their brand over their users and how unknowingly, traditional media helps them to deceive the people at risk.

Yesterday, I got an e-mail from Orange stating that I am one of the 850,000 Belgian users affected in a cybersecurity breach that happened a few weeks ago. I was pleased to see the e-mail contained a link to a press release and a landing page with more information, but my joy quickly turned into disgust when I noticed that the landing page is merely a PR statement that is here to deceive the media and their customers.

The deceptive communication is subtle - here’s a guide for everyone to spot it:

Sneaky communication tricks

• Putting the focus on what did NOT happen: look at the (translated) breach notification below. Notice something?

  

  The first statement in bold does not answer the question. For every breach, I could come up with a gazillion data points that did not get leaked. Then they go on and talk about a hacker that has gained access to a system containing the following data - notice that they make no direct connection between the hacker and the data (which was undoubtedly the actual target of the hacker, not the system containing data).
  

• Ambiguous headlines: boring or deceptive headlines for e-mails and press releases to lower significance or even reframe the disclosure as a good thing. Let’s take a look at Orange’s headline:

  

  There are two subtle tricks embedded into this headline:

  • Because it’s written from a third person perspective, it appears more neutral but is also easier for press to pick up as-is, without tweaking it.

  • Focus on own action rather than important facts: the highlight is on the word informs which carries a positive sentiment, followed the vaguely worded “a cyberattack” which could also point to a cyber attack in a different company. Knowing that Orange’s parent company also delivers cybersecurity services, this could even be read as a positive thing!

• There’s always a lack of “evidence”: a top trick in the book is to talk about the lack of evidence that the data was leaked or sold at the time of the press release. It exploits the notion that customers trust companies to conduct fast and proper research, while this is actually not in their best interest. In this case, Orange tried to play the classic ‘no evidence’ trick at 12PM, conveniently when the press picked it up, only to remove the statement from the page again at 4:30PM. Luckily for you, but unluckily for them, the page has since been archived.
  UPDATE: The next day at 12:05, they have added the clause again.

  

• The PR dictionary: some interesting word choices / euphemisms from the communications:

  • Cyber attack instead of data breach: the first word helps to victimise the organisation, the latter can have serious regulatory consequences.

  • The hacker consulted (rather than stole): I know consultants charge criminal rates but we shouldn’t confuse them with real criminals.

  • Critical and sensitive: these self-defined words can mean anything. In this case, phone numbers, PUK and SIM card numbers (that could come in handy during SIM swapping attacks) are not defined as critical despite being extremely rare for hackers to get their hands on, whereas something more trivial/public such as an e-mail address is defined critical. It’s a moving target: if e-mail addresses would have been included, an overzealous marketeer could redefine “critical” as “access to raw text message data and phone call logs”.

    

• Justification for lack of transparency: as usual, the breached corporation refuses to provide more technical details to “ensure the integrity of the investigation and protect the privacy of those involved”.
  Yeah - right. Your privacy matters so much to them that they won’t tell you how they failed to protect your private details. If I were cynical, I would think that the true reason why they provide as little detail as possible is to avoid owning up to a mistake that could inspire people for a class-action suit.

• No sorry, no crime: Orange informs its users how they can protect themselves against the mess that it created, but fails to acknowledge the inconvenience or risk brings to their users.
  For an organisation that publicly boasts that their “customer-centric approach has been a key pillar of Orange Belgium's success1”, this seems to be a serious mismatch with their approach.
  Or would they suddenly see a “we’re sorry this happened” be an admission of guilt of their own negligence?

The only thing missing on my bingo card is that they did not send out the press release on a Friday afternoon. But should I congratulate them for that?

As a society, we should not demand companies to be unhackable. Security breaches can happen to the best-protected. But I think it is our responsibility to call out organisations for being deceptive and deflecting responsibility onto their customers. Only by speaking up, we can make the PR industry rethink their strategies and focus on honesty over deniability, but looking at how the traditional media picked up the press release without asking critical questions it looks like we still have a long way to go.

I will also take additional action: because Orange has shown that it cannot be trusted, I will file an official complaint with the responsible Data Protection Authority and demand full transparency as to what has really transpired and how our personal information was (mis)used.

If you want to hear about my progress or read my upcoming blog about another uncovered Belgian telecom disaster, then I encourage you to subscribe to my free newsletter:

Disclaimer: this article describes my personal views and opinions as an Orange customer and is unaffiliated with anyone or anything but myself.