Analysis: Will Clubhouse's recent breach throw a wrench in its momentum?

Clubhouse has been gaining steam over the past few weeks, growing from 3.5 million global downloads on 1 February to 8.1 million by 16 February, according to App Annie. App Annie said Clubhouse exceeded 2.6 million downloads in the US alone this month as a result of appearances from renowned individuals such as Facebook CEO Mark Zuckerberg and Tesla CEO Elon Musk. While the app is currently on an uptake high, a recent breach saw an individual temporarily stream multiple rooms from their own feed to a website.

Clubhouse's spokesperson told MARKETING-INTERACTIVE in a statement that recording or streaming without the explicit permission of the speakers is against the Clubhouse terms of service. "This individual's account has been permanently banned from the service and we have added additional safeguards to prevent people from doing this in the future," the spokesperson said but declined to comment on the specifics of the safeguards. 

More than a week ago, Clubhouse said it is reviewing its data protection practices following a Stanford Internet Observatory report saying that the app has security flaws that "left users' data vulnerable to access by the Chinese government". Some users reportedly found a loophole to download the app despite it being banned in China. Reuters said this meant that the conversations they participated in could be transmitted via Chinese servers.

While multiple media outlets have reported it as a breach, BBC quoted chief technology officer David Thiel of Stanford University's Internet Observatory programme saying that "the data spill was not malicious or a hack". Instead, it had more to do with a user violating Clubhouse's terms of service. Additionally, BBC also quoted Australian cybersecurity researcher Robert Potter who explained the difference between a "data spillage" and a "data breach", saying that the latter is "deliberate" and typically executed by an individual "hacking into a system to steal data".

On the other hand, a data spillage occurs when "confidential information is released into an environment that is not authorised to have access to the information", BBC said. Potter was reported to have built The Washington Post's cybersecurity operations centre.

According to a report titled "2020 Year End Data Breach QuickView" by cybersecurity firm Risk Based Security (RBS), there were 3,932 publicly reported data breaches in 2020, compromising over 37 billion records. While the number of publicly reported breach events decreased by 48% compared to 2019, RBS said the total number of records compromised increased by 141% and was by far the most records exposed in a single year. The report added that five breaches each exposed one billion or more records and another 18 breaches exposed between 100 million and one billion records. RBS works with brands including Adobe, AXA, Siemens, Saxo Bank, and Naver.

ADNA's head of data, strategy and solutions Nishant Kaushal, head of data, strategy and solutions said over the last year, there has been a heightening awareness and sensitivity towards personal data security, and this concern is no longer limited mainly to a tech-savvy audience. Although Clubhouse is still in beta mode, Kaushal said such an incident can happen to any organisation and the data breach is problematic for Clubhouse at multiple levels.

According to him, trust is a key driver of long term equity strength especially for new brands and this incident shakes the basis of it. It is further eroded when users read that Clubhouse had advance warning on its security flaws from Stanford Internet Observatory report. He added:

One of the core attraction for users is Clubhouse’s exclusivity and association with elite opinion leaders. Leaking of private conversations poisons both.

"So it’s not a surprise that a recent survey by American software company Ping Identity found that after a data breach, 38% users would cease all interaction with the affected brand, at least for a while. Therefore, Clubhouse growth will likely be impacted until it can convincingly demonstrate that it has secured its platform," he said. Among the list of brands Ping Identity works with include Netflix, Equinix, HP and Chevron.

On the other hand, Vijayaratnam Tharumartnam, PROTON's director, group corporate communications, said the breach would not substantially impact Clubhouse's momentum because the data shared with the app is minimal - a phone number and an email address. According to him, there is no sharing of credit card numbers or any other critical information. 

"Clubhouse also has no transactional functionality so there is little to fear. At worst, someone has a recording of something you said and if it was libelous, you probably should not have said it anyway," he explained. Furthermore, Tharumartnam said the Clubhouse crowd is a fairly gregarious one and also a little more fun. Hence, the draw of Clubhouse will outweigh this incident and this "will just be a blip for it".

MARKETING-INTERACTIVE's Content 360 Week is back from 6 to 8 April this year! Super charge your content production, distribution and monetisation strategies by learning from brands such as NBA Asia, P&G, Malaysia Airlines, and Marriott International, among others. Sign up today!

How can Clubhouse contain the impact?

Transparency is important in such situations and while Clubhouse has confirmed the breach, it has yet to publish an official statement on its website. Co-founder and CEO of Antsomi Serm Teck Choon said one of the ways it can ensure downloads and usage are not impacted is to publish an official statement on its website to address the concerns being discussed and mentioned, particularly from a security, privacy, and data protection standpoint. 

At the same time, it can also leverage on the regular Clubhouse townhall held on the app to hold a transparent discussion with users. "The more open it is, the faster Clubhouse can mitigate the risk of losing users' confidence in the app. This will also be a good showcase for Clubhouse founders to advocate the spirit of the app - conversation," he added.

Echoing Serm, ADNA's Kaushal said Clubhouse has to transparently acknowledge its multiple security issues, outline a plan to address them quickly and completely, make the fixes and then ask a third-party reviewer such as Stanford Internet Observatory to certify.

"This could in fact be an opportunity in disguise as research on past similar incidents has shown that when a company recovers strongly after a major service failing, it can end up boosting its customer satisfaction versus what it was before the crisis," he said, referencing CX and loyalty research that ADNA has done for clients in the cloud and tech space. Kaushal, however, could not provide additional information due to NDA.

Another way to prevent fall out is for Clubhouse to stay in touch with customers and continue listening along this journey, seek continuous feedback on actions taken and benchmark itself to measure the success of its endeavours. Kaushal added that this is not only applicable to Clubhouse but also to companies that fall prey to such incidents.

Statistics from Digimind showed that while public discussions around Clubhouse and its reported data breach reached approximately two million online mentions worldwide from 20 to 23 February, conversations in Singapore, Malaysia, and Indonesia were comparatively fewer.

Instead, Digimind found that netizens in these countries were still fixated on Clubhouse’s novelty and exclusivity. A 72% spike on 20 February can be mostly attributed to increased promotional activity from influencers, and questions posed on Twitter around Clubhouse’s user features. Overall, netizens still expressing interest and curiosity at the app’s unique interface and being able to join audio chats led by their favourite influencers, a result of its exclusivity. Among the key topics discussed in Southeast Asia surrounding Clubhouse were "dalam clubhouse", "young local celebrities", "kind of clubhouse", "clubhouse audio", and "image popped".

Digimind's head of Asia Pacific Olivier Girard said while the data breach may have had a comparatively small impact on public conversations in Southeast Asia, Clubhouse will need to remain vigilant on such issues. This is especially crucial in light of concerns over similar threats to data privacy around its larger, more established counterparts such as Facebook and WhatsApp.

According to him, widespread adoptability of Clubhouse in Southeast Asia will be determined largely by two factors - accessibility to a larger user base, and compliance with government regulations.

"In cases such as this, it is important for brands – be they social apps or consumer goods and services – to investigate the impact of a crisis on consumer perception and conversations and take appropriate measures. Social media listening can be handy for enabling crisis management teams to determine this as it develops," he added.

Meanwhile, statistics from Meltwater from 20 to 24 February, only 22% of online sentiment of Clubhouse was negative. The majority were either neutral (65%) or positive (12%). Twitter had more than 20% of negative sentiment, representing the most among news sites and blogs, which had more than 10% each.

How hackers are potentially targeting consumers

Its invite-only function makes Clubhouse exclusive and therefore sought after among consumers. This has led to Clubhouse invites being put on sale globally including countries such as Singapore and Malaysia. A check by MARKETING-INTERACTIVE found that Clubhouse invitations between US$7 to US$22 are being sold on Facebook Marketplace in Singapore. In Malaysia, the invitations range from as low as US$1 to US$61.

Kaspersky's security expert Denis Legezo said there are two ways cyber criminals can target unwitting users - the sale of invites and fake applications. He explained that both scenarios are united by one thing – the desire to exploit users’ interest in the social platform.

While the first scenario is simply monetisation on a small scale, the second scenario is more serious. Legezo explained that attackers can distribute malicious code under the guise of popular software – for instance, a fake version of Clubhouse for Android.

"A fake malicious application can do exactly what you allow it to do in the security settings of your Android – to get a rough or accurate location of the device, record audio and video, and attain access to messengers, among others," he said.

Cyber criminals can also use other unusual tricks. For example, Legezo said if attackers implement the capacity to record audio, and this function is allowed on the device, they would be able to use high quality recordings to train their machine algorithms, to create more sophisticated deep fakes.

"The best way to keep safe is to be vigilant about what you download, and to maintain proper security settings on your smartphone," he said.

Related articles:
Clubhouse falls prey to security breach amidst review of data protection practices
Analysis: Clubhouse marketing 101
Tribal SG gets candidates to pitch for job via invite-only app Clubhouse