Dixons’ Data Debacle
How a new CEO needs to respond to an ugly cyberattack
There's a downside to the kitchen-sink strategy.
Two weeks ago, Dixons Carphone Plc's new CEO, Alex Baldock, issued a profit warning and blamed his predecessor, the ebullient Sebastian James, for taking his eye off the ball.
Fast forward to Wednesday and Baldock revealed a cyberattack that has hit almost 6 million payment cards. About 1.2 million records containing non-financial data, such as names, addresses and emails, have also been accessed. The retailer's stock, already 15 percent down since the profit warning, fell as much as 6 percent more on Wednesday.
It's easy to see why any new CEO would want to paint the situation at the company they arrive at in as bleak a light as possible. By talking expectations down early, there's scope to exceed them later, boosting the share price and potential payouts under any long-term incentive plans.
Trouble is the strategy leaves companies even more vulnerable to just the type of unexpected blowup that Dixons Carphone has revealed. If investors were nervous before Wednesday's announcement, they have all the more reason to be so now.
Dixons said the attack started in July, but the company only determined what was going on in the last week.
Baldock, who took up his role on April 3, could argue that the fault again lies with the previous management for failing to invest adequately in cyber defenses. After all, the Carphone Warehouse business was fined 400,000 pounds ($533 million) over a cyberattack in 2015.
But he should be careful in laying more blame on his predecessor. After all, James was popular internally. A crucial part of leading any retailer is galvanizing thousands of employees.
What's more, it is Baldock who will be judged on the response to this incident. So far, he is playing it by the book, issuing a lengthy mea culpa and promising to triple spending on cyber security.
More explanation of what happened, and why it took so long to get a handle on it, needs to follow -- and the company's story needs to be consistent.
Reassuring both investors and customers will be crucial. TalkTalk Telecom Group Plc, the subject of a cyberattack in 2015, lost customers and market value, and was hit by a 400,000-pound fine. CEO Dido Harding stepped down less than two years later after fumbling her response to the breach.
The stakes have since been ratcheted up by the European Union's General Data Protection Regulation, which stipulates that personally identifiable data can only be retained if a company has an individual's consent -- on penalty of as much as 4 percent of global sales. There are also strict rules requiring data breaches to be revealed within 72 hours.
The attack comes at a particularly delicate time for a retailer like Dixons Carphone. British consumers are still nervous about spending, and don't need any excuse to desert the company for the likes of Amazon.com Inc.
How Baldock contains this crisis will determine how he will be judged -- never mind his predecessors.
--With assistance from Alex Webb.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the editor responsible for this story:
Edward Evans at firstname.lastname@example.org