I think it's fair to say it's been a rough few weeks for T-Mobile's CEO, Mike Sievert. After a massive data breach resulted in a hacker stealing the personal information of more than 50 million people, the company has been in damage control mode.
I've written about the company's response, specifically why I think it has been lacking in terms of providing useful information to affected individuals. The company sent text messages to users that--in many cases--led to more confusion.
Then, employees at its retail stores had little information and weren't able to help customers identify what information might have been compromised. Even worse, in some cases, they downplayed the severity of the breach, comparing it to "kids just messing around."
Even though I'm willing to give T-Mobile the benefit of the doubt that the company does care about its customers, the way it responded over the past two weeks has left a lot to be desired. I'm sure the company has been scrambling to figure out how to fix the vulnerability that led to the breach, but everything about its response was a lesson in how not to handle a crisis.
Now, however, Sievert has published an update on the company's website:
The last two weeks have been humbling for all of us at T-Mobile as we have worked tirelessly to navigate a malicious cyberattack on our systems. Now with the breach having been contained and our investigation substantially complete, I wanted to take a moment to provide an update and some perspective on where things stand, what we have been doing to take care of impacted people, and the measures we are taking to better protect consumers from future incidents like this.
My first reaction is that this is the type of response the company should have had from the beginning. Instead of adding to the confusion, the company should have immediately communicated that it understood the severity of the problem, apologized that it let customers down, and set out its plan to mitigate against further problems in the future. That goes for both its customers and its data management practices.
There is, however, one word from that paragraph that sticks out the most, and it's a powerful lesson for every leader. Sievert describes the breach--and its aftermath--as "humbling." As it should be.
T-Mobile let down more than 50 million people who had put their trust in the company. Those people trusted that, when they handed over their personal information, T-Mobile would keep it safe--that it would do everything it could to prevent attackers from gaining access to it.
In an interview with The Wall Street Journal, a 21-year old man identified himself as the person responsible for the attack, and claimed that "he managed to pierce T-Mobile's defenses after discovering in July an unprotected router exposed on the internet."
"Their security is awful," he said. Considering that this is the third data breach in the past two years, that seems like a fair assessment. That doesn't excuse the fact that the attacker engaged in criminal conduct, but it is just as much an indictment of the country's second-largest wireless carrier.
"We spend lots of time and effort to try to stay a step ahead of them, but we didn't live up to the expectations we have for ourselves to protect our customers," Sievert wrote. "Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry."
As a leader, a little humility goes a long way. Recognizing that the company failed to live up to expectations, and apologizing for that is a good place to start.
That's especially true considering the thing the company needs to do most is win back its customers' trust. Admitting when you're wrong and explaining how you plan to make it right, goes a long way towards that goal.