It has now been a few days since the Banca Sella data breach, and it is time to make a few remarks about what happened, outside of any controversy but with the desire to understand any mistakes made and learn from them.
What happened
- 05/04/2024: start of disruptions
- 08/04/1014: release of initial communiqué
- 10/04/2024: release of second communiqué
- 11/04/2024: finalisation of communiqué
- 12/04/2024: closure of the data breach
In recent days, Banca Sella has suffered a data breach of internal origin and of a culpable nature. One of the computer systems in its possession and subject to updating, returned an error and this caused errors and problems in telematic services. As a result, the problems soon spread to customers, forcing the bank to make a series of public announcements that were the subject of much criticism.
The communication carried out by Banca Sella on X (formerly Twitter) regarding the incident began on 08/04/2024 at 17:17. The immediately preceding message was dated 29/04/2024 and concerned artificial intelligence. The bank then began publicly addressing customers on Twitter on Monday 08/04/2024 at 17:17.
Main problems in communication
Concerning the beginning of inefficiencies
Some customers, however, reply that the ‘slowdowns’ in the use of services started to occur much earlier: on Friday, 5 April 2024. One user writes clearly on this subject:
It is not because of the weekend updates: the site has been down since Friday afternoon before 4pm.
Tweeted by S.C. on10/04/2024 23:59
Inaccurate communication of the disservice is a first communication problem: the inability to correctly identify the beginning of problems is understood as lack of professionalism. If I fail to identify problems within my infrastructure, it becomes difficult to solve them or, at the very least, to deal competently with customers.
The question on slowdowns
From the outset, Banca Sella claimed that the problems had caused ‘slowdowns’ in the system. A slowdown is a phenomenon intended, precisely, to slow down the use/execution of a service that, in any case, remains operational and available to users, for the customers of a bank this is essential.
The problem, according to the users, was that the slowdowns were not slowdowns but actual ‘blockages’ in the use of the service. One user, for example, writes:
The ‘slowdowns’ are the total inability to access accounts, make and receive payments, use the app. Business and personal operations totally blocked. Tell us clearly what is happening and when you will solve it, we need to use our money.
User Tweet: V.G. of 10/04/2024 1:21 pm
The experience of the users was not that of a slowdown, but of a blocking event, which is quite a different matter and which caused a lot of ire in the community of Banca Sella customers. Messages like that of user V.G. are many. Another example is:
What definition do you have of ‘slowdowns’? The site doesn’t let you in regardless. Withdrawals out of order. Card or phone payments don’t go. Online transactions blocked. Don’t you have a trivial ‘rollback’ procedure when you make catastrophic updates over the weekend?
User Tweet: W.R. of 08/04/2024 6:46 pm
One could go on with other messages, but the purpose is not to ‘make controversy’ about an IT incident, but to note how a banking institution’s communication states one thing (the presence of ‘slowdowns’), while users claim for days another thing (the presence of ‘blocking’ problems).
Subsequent notices
From 10/04/2024, Banca Sella begins a new phase of communication: with more and more precise and timely information. One begins to read more information about the technical problem: for example, one warns customers of the Oracle company’s involvement in the resolution of the inefficiency. One clearly reads about the preparation of a dedicated page to inform users. In short, it is clear to everyone that Banca Sella has begun to be more reactive and precise in its communications. Reactivity and precision that came after days that were decidedly problematic for customers.
Too many days. I had to make trades. At the very least you should think about i a form of compensation, even if only 0 commission for a few trades. What is happening is really unacceptable in terms of timing…I am considering closing the account.
User Tweet: S. of 11/04/2024 11:07 am
But also much more heated comments such as the one below:
You are from jail. I pass everything on to revolut and thank you and goodbye (to never again).
User Tweet: S.F. of 10/04/2024 16:33
In short, customers arrived exasperated by the bank’s problems and communication, which, according to many of them, was deemed totally ineffective or even disrespectful.
Communicating a crisis
In this portal, on 19 July 2019, an article called “Managing the Communication of a Data Breach” was published. The article clearly addresses how the communication of a data breach must be carried out, setting out exact rules that originate from the crisis communication.
The communication of an incident cannot be opaque or imprecise: in the case of Banca Sella, it cannot confuse a slowdown with a blockage. Nor can it afford, for days, to repeat the same communication announcement when users do not find it satisfactory and clamour for more clarification.
Above all, the communication of an incident must be timely, clear and transparent.
From a technical point of view, among other things, blocking problems have a very different weight, relevance and method of treatment from a slowdown, which, basically, does not prevent the use of the service but only makes it more difficult.
A note on user behaviour
But why must crisis communication be made according to these rules of transparency? Essentially for two reasons: the first is because it is due to customers. The second reason is that not all users have the same reactions to the incident. Banca Sella must be given credit for having to handle a truly critical situation that, for the most part, was not technically understood (as it should be) by customers. A situation in which no technician would have wanted to find himself, and Oracle’s involvement demonstrates the complexity of the technical scenario to be managed.
Therefore, although highly justified by frustration and disservice, customers never had the technical expertise to recognise the complexity of the scenario. Clearly this is not meant to place ‘blame’ or responsibility on users/customers, but only to point out that it is also for this reason that the communication of a data breach must be timely, clear and transparent. In order to prevent further complexities from arising from customers themselves.
Conclusions
The incident that occurred at Banca Sella has highlighted a considerable inefficiency and ineffectiveness in communicating with users; it is certainly something to learn from and treasure. It is, however, part of a broader context in which many entities afflicted by data breaches prefer to continue communicating in an opaque manner, often dismissing the incident or, at the very least, not immediately providing the necessary elements of clarity to calm tempers.
Was it so difficult, from day one of the disruption, to specify that the data breach was culpable and not malicious; to provide the information about the software conflict being updated and to make it clear from the outset that the timeframe would be long and that the bank would provide reimbursement?
This would not have solved the problem, certainly not, but it would certainly have resulted in two things:
- effective demonstration of respect for customers, who would be treated in a transparent and clear manner.
- less grievance on the part of users against the credit institution.
Notifying a data breach is part of the IT incident management phase: a phase subject to inspection, evaluation and, in the event, action by the Supervisory Authority.
