Cyber Attacks and Media Flak

What To Expect From the Media During a Cyber Incident

Australia has been contending with a massive coordinated cyber attack¹ against its AUD 4.2 trillion superannuation sector.² Thousands of member accounts across the country’s largest retirement funds were hacked, putting at risk personal information and hundreds of thousands of dollars in lifetime savings.³

While this event plays out in the media, you’ll notice that companies that have previously fallen victim to cyber threat actors, will continue to be name-checked in articles. This is not just because journalists like to dredge up the most memorable local large-scale cyber attacks in their reporting, or because millions of Australians were impacted, but also because the fallout from those events is ongoing.

The reality is that significant events like this play out over years, not weeks because investigations into cyber incidents can take months, especially if it’s a data breach involving large amounts of unstructured data. Then there is the notification process that needs to be followed methodically, and finally, any ensuing legal or regulatory action.⁴

Throughout all of this, the media is always looking for the next development, the next angle.

Preparedness is critical in navigating any crisis. Every company’s cyber incident response plan should include an understanding of the typical milestones, likely media interest, and potential for long-term reputational impact.

Cyber Incident Media Milestones

Several moments during the lifetime of a cyber incident may garner increased media attention, depending on the scale of the incident, severity of impact, and profile of the company. These inflection points can be weeks or even months apart.

Initial incident response: These milestones include when the incident is detected and reported, along with any operational impacts the company experiences, such as system outages, production or service delays.

Threat actor escalations: The threat actor may attempt to increase attention on the event by posting claims online or on the dark web, leaking data, or contacting stakeholders such as customers, staff, partners, and investors.

Operational recovery: The resolution of any operational impacts will be a key milestone for stakeholders, particularly if there was a significant disruption to a critical customer system or service.

Regulatory notifications: Regulators in relevant jurisdictions must be notified about data impact – this includes all locations where individuals (i.e. customers, staff) have been impacted. In Australia, the Office of the Australian Information Commissioner (“OAIC”) must be informed under the Notifiable Data Breaches scheme and the company must make a public statement.⁵

Individual notifications: If required by local laws and regulations, the company must send data impact notifications to all impacted individuals. In Australia, entities are required to notify individuals about data breaches that are likely to result in serious harm.⁶These letters have the potential to be leaked to media.

Legal and regulatory action: Individuals and regulators can take action against the business following an incident. These actions, commonly representative complaints and civil penalty proceedings in Australia, have their own media milestones and can take years to unfold.⁷

Reputation rebuild: Once the main inflection points have passed, impacted companies will usually undertake a proactive campaign to secure favourable media coverage that helps to repair the company’s reputation and ensure long-term customer loyalty.

The Well-Trodden Cyber Incident Pathway

While every cyber incident is unique, they tend to follow a predictable trajectory in the news and on social media.

Internationally, these stories often break in global cyber industry publications such as Bleeping Computer, The Record, or Krebs on Security. In Australia, one of our national or metro mastheads will typically break the news if it impacts a significant organisation.

Cyber-focused trade publications will follow with in-depth articles dissecting the technical details of the incident, while cyber influencers and commentators will drive social chatter.

Other outlets will leverage trade and social reporting to cover the story, reporting on key developments and focusing on the real-world impacts that matter to their audiences.

Throughout, dark web monitoring accounts will post updates on social media, reporting news such as a threat actor claiming responsibility for an attack, publishing screenshots of stolen data up for sale or ransom, or publishing the data itself.

As initial coverage subsides, key publications will continue to share updates on the investigation as new information or developments come to light.

How Different Types of Media Outlets Cover Cyber Incidents

While a cyber incident response strategy should ensure all outlets and reporters receive the same narrative and set of facts, different elements of a cyber incident will be of interest to different audiences.

Top tier media: National and international top-tier outlets will cover cyber incidents with a focus on operational and customer impacts. These outlets are likely to source information from the impacted company as well as from customers via social media, and even insider sources.

Local media: Local media will cover cyber incidents that have a direct operational in their communities for the duration of any disruption to customer experience. These outlets are unlikely to have experienced cyber reporters and will therefore be less familiar with the nuances of a cyber incident.

Cyber media: Cybersecurity industry outlets will cover every major stage of an incident and ask questions about technical details such as root cause, recovery and data impact. These outlets will source information from the dark web and industry commentators, and even directly from the threat actor.

Industry media: Media focused on the company’s sector will cover the incident in detail with emphasis on operational disruption, the company’s response and implications for the broader industry. These outlets will use existing connections to source information and while they may be less familiar with the nuances of a cyber incident, will cover the incident in depth for its full duration.

Communicating in a Cyber Crisis

Communications teams should consider the following when responding to a cyber incident:

Anticipate: Understand the typical milestones of a cyber event and the expected media interest around them. Prepare robust key messages and be ready for media interest at each of the inflection points.
Consolidate: Don’t get ahead of the facts – there will be plenty of media moments, so try not to feed the machine unnecessarily. You don’t want to have to walk back statements or stakeholder assurances.
Respond: Remember that you can’t always control the narrative. Journalists, particularly those from cyber trades, can get information directly from the threat actor. It’s possible that intel around ransom negotiations, payment, and other details that would otherwise be protected, could be leaked.

Learn more about FTI Consulting’s specialised global cybersecurity and data privacy communications practice, and how we can help develop and test your crisis and cyber communications plan here.

Footnotes:

1: Daniel Croft, “Hackers target Aussie pensioners in major super fund cyber attack”, Cyber Daily (4 April 2025).

2: “Super Statistics”, The Association of Superannuation Funds of Australia.

3: Blair Jackson, “Mass superannuation cyber attack ‘overdue, inevitable’, expert says after Aussie funds targeted”, news.com.au (5 April 2025).

4: Christine Wong Emily Coghlan Heather Kelly Melody Webb Kenneth Tan and Christina Knezevich, “Navigating cyber incidents: Strategies and best practices for effective data breach investigations”, Herbert Smith Freehills (24 February 2025).

5: “About the Notifiable Data Breaches scheme”, Office of the Australian Information Commissioner.

6: “Part 3: Responding to data breaches – four key steps”, Office of the Australian Information Commissioner.

7: Christine Wong Emily Coghlan Heather Kelly Melody Webb Kenneth Tan and Christina Knezevich, “Navigating cyber incidents: Strategies and best practices for effective data breach investigations”, Herbert Smith Freehills (24 February 2025).