UPDATED: HTC silence on security breach report inadvisable

So far, the website has identified the following phone models as "at risk": EVO 4G, EVO 3D and Thunderbolt.

According to the report, apps on affected devices have the potential to send sensitive data such as lists of user accounts, last known network and GPS locations and phone numbers from the phone log.

Android Police said it contacted HTC with the issue on 24 September, waited five full days for a response and, obtaining none, went public with its findings. The news is currently running on many widely read digital and technology websites including Endgadget and CNET.

Since then, HTC has not responded to the issue beyond issuing a formal statement to interested media parties which reads, ""HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."

When contacted, a spokesperson said that until HTC had more details it would be unable to issue further comment on the issue. So far, the brand has not communicated with its customers on the issue via its Twitter feed or its Facebook page which has over 900,000 fans.

While HTC's silence indicates caution, it may not be necessarily the best step to take to reassure its customers.

"The first thing HTC should do is respond to the stories by notifying fans and followers that they are aware of these reports and are investigating," commented Text 100 Asia-Pacific social media lead David Lian. "They’ve said as much in the DailyTech story, so it makes the most sense to also say the same and speak directly to the consumers."

"This most important thing about a handling a crisis is to communicate both online and offline that you are addressing it immediately," added James Hacking, Vice President of BlueCurrent Hong Kong. "It is only natural for facts to emerge after some time and for plans to be put in to action but the speed at which news travels online means that you need to show transparently that you are listening to people and taking the appropriate measures."

Communicating regularly with regular stakeholders is crucial when a brand crisis strikes, added Max Sim, Vice President of BlueCurrent Hong Kong. "You sometimes hear about the 5 minute news cycle that social media channels have encouraged. If you look at Google Discussion and search for the words 'massive security HTC android devices' you have an estimated 100,000 entries and there as many as 1 million occurrences in Google Blog search already."

The issue at stake, said Lian, is the brand's reputation with its fans and userbase. "Regardless of how HTC explains the issue, the proof will be the actions it takes in resolving the issue and earnestness in providing transparency. Speed and urgency is key."

According to Sim, past crises have been successfully mitigated when the CEO went online and via appropriate channels (such as Twitter or Weibo) communicated the steps the company is taking every few minutes. "But, commmunications shouldn't stop there," he added.

"No longer is it sufficient to send out a statement and sit back thinking your work is done," said Hacking. "You need to keep on listening and keep on communicating until the issue is resolved."

Update on 6 October 2011

Yesterday, HTC released the following public statement:

"HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
 
HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly.  During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources."