Sony, Adobe, Home Depot, eBay, Blue Cross — what do they all have in common? Not just that they are extremely successful companies but that they have all experienced a major data breach.

Sometime between April 17 and April 19, 2011, a group of hackers gained privileged access to the Sony PlayStation Network (PSN). Within a matter of hours, the hackers had gained access to the usernames, passwords, real names, addresses and credit card details of some 77 million PSN users. Like all breaches, this one was unexpected. Unlike other breaches, this one was unprecedented in its scale and extent. In the largest data breach of its time, PSN administrators rushed to shut down the global network, but significant damage had already been done. Around the world, frustrated, confused and worried users wanted answers.

The story that played out on the Sony PlayStation Network is familiar to many organisations around the world. Data breaches can have significant reputational and financial consequences for both customers and the breached organisation, and are among the most financially damaging cybercrimes.

A data breach exposes a company’s customers to outside parties, and gives a criminal ready access to verified, live identities and financial information. Following a breach, customers may become dissatisfied with the company’s services, they may decide not to purchase from that company again, may decide to discontinue their service use altogether.

Most prior research into data breaches was conceptual, focusing on the privacy and legal implications of data breaches. Other work examined stock market reactions to data breach announcements. Retrospective case studies were also common. The enduring question for many firms is, how should affected customers be compensated for a data breach so as to maintain perceptions of service quality?

We delved into prior service failure research for answers. Service failure is an important problem, and has been studied in a variety of contexts and settings (such as restaurants, airlines, hotels and health providers). An apology – we’re sorry we did this, we’re sorry this happened to you, or we’re sorry you’re angry – is the most common and least expensive action that firms usually take following a service failure.

However, although an apology might work in the case of a disappointing dessert at a restaurant, or a long wait at a bank, it may not be enough when there is a deeper sense of loss. Compensation, such as a free meal or a larger hotel room, can have a stronger effect on customer sentiment. Likewise, providing up to $10,000 USD for overbooked flights helps airlines to restore or at least ameliorate the negative impacts of service failures.

To understand how firms can use customer compensation to mitigate the negative consequences of data breaches, we captured reactions from customers who were affected by Sony’s data breach. Once the Sony breach hit, we acted quickly. We used an online survey to gauge the compensation expectations of some 500 Sony PSN customers. Then, about seven weeks later, once Sony had announced a compensation package, we surveyed these same customers once again to determine their experiences regarding compensation effectiveness.

Curiously, we found that compensation is not linear: overcompensation can make the company appear insincere. We realised that a customer’s perception of compensation is affected by the gap between what they are expecting as compensation, and what they actually receive. If their compensation expectations exceed their experience, they are likely to be dissatisfied. In contrast, if the compensation received matches their expectations, customers will feel better about the service failure and may look more positively on the affected company. This illustrates that “throwing money at the problem” does not necessarily work in a data breach context and it is critical to understand customers’ expectations. Based on our findings, we recommend that firms discover customers’ expectations prior to a data breach because it is likely to be useful in managing customer sentiment when hackers gain access to the company’s databases.

In the weeks that followed the Sony breach, which Sony estimated cost them over $171 million, there was much speculation about who was responsible and how they did it. Some say that Anonymous, the hacking group, was behind a massive denial of service (DOS) attack that revealed weaknesses in the network’s defences. Others blamed a vulnerability in the PlayStation Network’s encryption process that allowed easy access to the customer database. Amid intense political and legal scrutiny, Sony issued an apology to affected users. As compensation for the breach, Sony provided all users with a selection of free games and access to premium network content. Today, the Sony PSN is home to over one hundred million users.

♣♣♣

Notes:


Sigi Goode is an Associate Professor in the Research School of Management at the Australian National University. He has fifteen years managing and designing online information platforms. He has published papers in leading academic journals. His research interests lie in technology adoption, policy and use, security behaviour, and open source software. Dr. Goode was awarded the ANU Vice-Chancellor’s Award for Excellence in Education in 2005, and a Carrick Institute National Award for Teaching Excellence in 2006. He sits on the editorial board of Information & Management.

Hartmut Hoehle is an Assistant Professor of Information Systems at the University of Arkansas’ Walton College of Business. He received a PhD in Information Systems from Victoria University of Wellington, New Zealand. He was previously a lecturer at the School of Accounting and Business Information Systems, Australian National University. Stemming from his professional experiences gained while working at Deutsche Bank, he is particularly interested in how services and products can be distributed through electronically mediated channels in a retail context. His work has appeared in leading academic journals. His teaching experience has occurred at both undergraduate and postgraduate levels and he has taught courses in Accounting Information Systems, Electronic Commerce, Management of Information Technology and Emerging Business Technologies.

Viswanath Venkatesh is Distinguished Professor and George & Boyce Billingsley Endowed Chair in Information Systems at the Walton College of Business, University of Arkansas. He is involved with a number of organisations, advising them on their strategic directions. He has traveled across the globe and presented to the academic and business community.

 

Susan A. Brown is McClelland Professor of Management Information Systems (MIS) and head of the MIS department at the University of Arizona. Her areas of expertise are: implementation, adoption, and diffusion of information technology; computer-supported communication; knowledge-based systems and knowledge management; and e-learning.