Ever wondered just how bad a cyber-security breach could be for your organisation?
Have you considered that it could shut down your business for days?
That may sound like the sort of tough scenario we might create to push delegates during one of our bespoke crisis communication courses.
But it just happened outside of the training room.
London Drugs – a Canadian store rather than a dubious weekend pastime - closed more than 80 stores across Canada for what it initially described as an “operational issue” and later confirmed was a “cyber security incident”.
The company sells pharmaceuticals, groceries and electronics, and it was more than a week before it could “gradually” reopen stores. At times, its phone system also went down.
It said the closures were made out of an “abundance of caution” – a horrible phrase bringing back memories of the pandemic when caution alone was no longer deemed to be enough.
A post on X, formerly Twitter, said: “On April 28, 2024, London Drugs discovered that it was a victim of a cybersecurity incident. Out of an abundance of caution, London Drugs is temporarily closing stores across Western Canada until further notice.
“Upon discovering the incident, London Drugs immediately undertook counter measures to protect its network and data, including retaining leading third-party cybersecurity experts to assist with containment, remediation and to conduct a forensic investigation.”
The post went on to say that pharmacists are “standing by to support any customers with urgent pharmacy needs.”
And added: “We apologise for any inconvenience caused and we want to assure you that this incident is the utmost priority for us at London Drugs.”
On April 28, 2024, London Drugs discovered that it was a victim of a cybersecurity incident. Out of an abundance of caution, London Drugs is temporarily closing stores across Western Canada until further notice. Upon discovering the incident, London Drugs immediately undertook…
— London Drugs (@LondonDrugs) April 29, 2024
It is not always easy to evaluate the effectiveness of a crisis response from the other side of the Atlantic.
But we won’t let distance get in the way of bringing you the latest crisis communication case studies.
To its credit, the company responded quickly.
And it has continued to communicate and keep customers and the media updated – a crucial part of crisis communication.
Having pharmacists available for emergency prescriptions and urgent care needs would have helped reassure worried customers.
And creating a page on its website of the stores that had reopened was an excellent crisis response move.
Other good crisis response steps have included an update letter to customers.
London Drugs has issued a formal apology letter to its customers for its abrupt closure of Western Canada stores after a cyberattack shut down 79 retail locations across B.C., Alberta, Saskatchewan and Manitoba for roughly six days.https://t.co/eLvrb47RAl
— Global Calgary (@GlobalCalgary) May 8, 2024
And a ‘thank you’ post to customers who “supported us during our store closures”.
Thank you, and all of you who have supported us during our store closures. We're excited to serve you again. pic.twitter.com/KtPgEO042k
— London Drugs (@LondonDrugs) May 10, 2024
But it was not all positive.
There was a line in its statements that kept leaping out.
“No interviews will be conducted at this time.”
That’s not a line we like to see.
We understand cyber security incidents tend to be complex. And it may take time to know the scale of what has happened and what has been taken.
But these crises pose a massive risk to reputations and customer relationships, especially when stores are closed and services are unavailable.
So, wouldn’t it be better to get in front of the media and try to take control of the story?
The longer you rely on statements, the more likely it is others will fill the void. And frenzied speculation and rumour can quickly replace facts.
The company’s president, Clint Mahlman, has since said the ‘no interviews’ approach was to prevent the release of information hackers could use.
“We apologise to the media and our customers that we couldn’t have given more details that they want, but that’s our commitment to the safety and security of our systems and our customers,” he said.
But I don’t think customers want lots of technical information.
They want to know that the company cares, that their personal information is safe and that the company is doing everything possible to quickly get things back to normal.
Compassion and empathy are crucial parts of crisis media management responses and maintaining customer relationships.
And they can come through much more clearly from an effective crisis spokesperson than a series of statements – particularly when the language used in those statements is dry and formal.
The story is a reminder that organisations of any size are susceptible to cyber-attacks. And that they must be included in crisis plans and risk registers.
It also highlights that recovery can be protracted and that operations will not necessarily be restored within 24 hours.
London Drugs will not disclose how much the store closures cost, only saying it was a “very big and dramatic decision”.
Research from internet service provider Beaming says that cyber-crime cost UK business more than £30.5 billion in 2023.
It is also estimated that around 312,000 businesses and 27,000 charities in the UK were targeted by cybercrime in the past year.
Are you prepared?
Media First are media and communications training specialists with more than 35 years of experience.
We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers.
Click here to find out more about our crisis communication training courses.
