When you are responding to a crisis, speed is crucial.
You also need to show that you are taking action to resolve the issue and provide your customers with some reassurance.
And it is also vital that the response to that incident is the focus of what you say.
But that last golden rule was ignored by one company when it responded to a data breach last week.
Australian tech firm Canva suffered a breach which saw the data of approximately 139 million users stolen – a pretty sizeable amount and certainly larger than some previous incidents which have attracted far wider coverage.
Its response to this incident has been mixed.
The eye-catching part of Canva’s response came in an email it sent to customers about the breach.
That email was prompt, but the information customers actually needed was bizarrely buried beneath self-congratulations and marketing guff announcing that the company had bought free photography sites Pexels and Pixabay.
It was not until the second paragraph that the data breach was actually mentioned.
It said: “Unfortunately, we have today become aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause and have reported the situation to authorities.”
Hey @lizmckenzie and the @canva team this is not how you start an email telling your customers you've been breached. #infosec #fail pic.twitter.com/XJdB3xcWEl
— Dave Hall (@skwashd) May 25, 2019
If you’re going to email customers about a security breach on your app, don’t start with a paragraph of self promotion and congratulation. I like Canva, and I know security breaches happen.
— Mathew Patterson (@mrpatto) May 25, 2019
Just tell me what happened, what you’re doing about it, and skip the marketing. pic.twitter.com/Jha6s5oMQA
Wow. That is a very poor communication. This is a web based company in 2019 doing this? Wowsa
— Adam Robinson (@AdamRobinsonCDM) May 25, 2019
Apart from the risk of this being seen as an attempt to bury or spin bad news, there is also a real danger that customers may believe it to be a regular marketing message and might not have treated it with the necessary urgency.
@canva Even your notification to users about your failure to keep my data secure via email looked like Spam--the greeting was "Hey there.' Then you go on to first toot your own horn and try to upsell me with more photos and T-shirt printing. FAIL.
— Justafriend Jackson (@JustafriendJ) May 25, 2019
Just going through my inbox. Not sure about @canva talking up three new features its added including t-shirt printing before actually revealing the purpose of the email: the need for users to reset passwords after a massive data breach...
— Rich Ward (@rich_rolled) May 28, 2019
It is a basic crisis media management rule, but if you are announcing bad news to customers by email, that message needs to get to the core of the issue and be focused on what the customers need to know and attempt to answer questions they may have.
The content of this email was later updated in response to feedback from those who received the first version.
The company said: “We listen to our customers’ feedback very carefully. We had some early feedback, and iterated on the email immediately.”
Social media
News of the breach was, however, much better handled on Twitter. Here the message focused, as it should, on the information customers would need to know.
And it was a tweet which suggested speed, honesty and transparency – key features of a good crisis media management response.
It said: “This morning we’ve been alerted to a security incident that enabled access to a number of usernames and email addresses. As soon as this happened, we remedied the issue and alerted the authorities. To be overly cautious, we’d recommend changing your password.”
This morning we’ve been alerted to a security incident that enabled access to a number of usernames and email addresses. As soon as this happened, we remedied the issue and alerted the authorities. To be overly cautious, we’d recommend changing your password.
— Canva (@canva) May 25, 2019
This level of transparency if how to win the trust of users. Thanks for being so quick to disclose the incident, @canva! https://t.co/mHTLsI2ue1
— Vaughan Shanks (@vaughanshanks) May 25, 2019
Perhaps it was a sign it had learnt the lessons from its email error, but it was good to see that promotional posts were turned off on social media.
I also liked the way it responded to questions from customers on Twitter. It took the approach of replying to each customer individually, rather than falling into the trap of repeatedly copying and pasting the same old message.
Apology?
One of the first steps brands should take when communicating a data breach is to apologise to those affected.
And that apology must sound genuine and heartfelt and show that customers are utmost in your thoughts.
Many organisations which have previously suffered data breaches have opted for the weak ‘sorry for any inconvenience’ style apologies.
Canva, however, has decided not to apologise at all, either in its email announcement or on social media, which feels like a glaring omission.
Leaders
Data breaches are serious incidents which demand visible leadership.
Cava’s email response came from its head of communications while its social media activity has been anonymous.
Putting these responses in the name of its CEO would have helped to show that the breach was being managed at the highest level.
The boss does not always need to lead an organisation’s crisis response – sometimes other leaders can be better placed. But considering the scale of this incident I would have expected to see more visible leadership.
Webpage
Canva’s social media work directed customers to a page dedicated to information about the data breach.
This included updated information about the incident and attempted to answer questions customers would be likely to have.
These pages can be a great way of keeping customers informed during a crisis and, if used well, can help ensure a brand is seen as the main source of information throughout the duration of an incident.
I would just suggest that in Canva’s case it got rid of the ‘committed to protecting the data and privacy of all our users’ message from these updates. Not only did it sound robotic, but it was also pretty ironic considering the enormous amount of data it had just lost.
Data breaches make the headlines frequently – barely a day seems to pass without one being reported.
Incidents like that experienced by Canva serve as an important reminder that all companies need to be prepared for a data breach, particularly one involving sensitive customer data.
We can help customers prepare and put their plans to the test through our crisis communication training and crisis simulation exercises.
Find out more about preparing for a crisis by downloading our free crisis media management eBook. It includes a guide to helping you identify the right spokesperson, messaging templates and a risk register to help you identify your organisation’s vulnerabilities.
Media First are media and communications training specialists with over 30 years of experience. We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers.
Click here to find out more about our highly practical crisis communication training.
Subscribe here to be among the first to receive our blogs.