Why this crisis media management response was the wrong way round

Thirty Seven is a journalist led content creation and web design agency.

We put journalistic principles at the heart of every piece of content we produce and every website we build for our clients.

CONTENT MARKETING / Email Marketing / Blogs / Social Media Content / Articles / Podcasts / Speech Writing / Presentation Design / White Papers / eBooks / Infographics / Interactive Games / Surveys / Contests / Magazines

DESIGN & DEVELOPMENT / Branding / Web Design / Web Development / Digital Design

Why this crisis response was the wrong way round

When you are responding to a crisis, speed is crucial.

You also need to show that you are taking action to resolve the issue and provide your customers with some reassurance.

And it is also vital that the response to that incident is the focus of what you say.

But that last golden rule was ignored by one company when it responded to a data breach last week.

Australian tech firm Canva suffered a breach which saw the data of approximately 139 million users stolen – a pretty sizeable amount and certainly larger than some previous incidents which have attracted far wider coverage.

Its response to this incident has been mixed.



The eye-catching part of Canva’s response came in an email it sent to customers about the breach.

That email was prompt, but the information customers actually needed was bizarrely buried beneath self-congratulations and marketing guff announcing that the company had bought free photography sites Pexels and Pixabay.

It was not until the second paragraph that the data breach was actually mentioned.

It said: “Unfortunately, we have today become aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause and have reported the situation to authorities.”



Apart from the risk of this being seen as an attempt to bury or spin bad news, there is also a real danger that customers may believe it to be a regular marketing message and might not have treated it with the necessary urgency.



It is a basic crisis media management rule, but if you are announcing bad news to customers by email, that message needs to get to the core of the issue and be focused on what the customers need to know and attempt to answer questions they may have.

The content of this email was later updated in response to feedback from those who received the first version.

The company said: “We listen to our customers’ feedback very carefully. We had some early feedback, and iterated on the email immediately.”



Social media

News of the breach was, however, much better handled on Twitter. Here the message focused, as it should, on the information customers would need to know.

And it was a tweet which suggested speed, honesty and transparency – key features of a good crisis media management response.

It said: “This morning we’ve been alerted to a security incident that enabled access to a number of usernames and email addresses. As soon as this happened, we remedied the issue and alerted the authorities. To be overly cautious, we’d recommend changing your password.”




Perhaps it was a sign it had learnt the lessons from its email error, but it was good to see that promotional posts were turned off on social media.

I also liked the way it responded to questions from customers on Twitter. It took the approach of replying to each customer individually, rather than falling into the trap of repeatedly copying and pasting the same old message.



One of the first steps brands should take when communicating a data breach is to apologise to those affected.

And that apology must sound genuine and heartfelt and show that customers are utmost in your thoughts.

Many organisations which have previously suffered data breaches have opted for the weak ‘sorry for any inconvenience’ style apologies.

Canva, however, has decided not to apologise at all, either in its email announcement or on social media, which feels like a glaring omission.



Data breaches are serious incidents which demand visible leadership.

Cava’s email response came from its head of communications while its social media activity has been anonymous.

Putting these responses in the name of its CEO would have helped to show that the breach was being managed at the highest level.

The boss does not always need to lead an organisation’s crisis response – sometimes other leaders can be better placed. But considering the scale of this incident I would have expected to see more visible leadership.   



Canva’s social media work directed customers to a page dedicated to information about the data breach.

This included updated information about the incident and attempted to answer questions customers would be likely to have.

These pages can be a great way of keeping customers informed during a crisis and, if used well, can help ensure a brand is seen as the main source of information throughout the duration of an incident.

I would just suggest that in Canva’s case it got rid of the ‘committed to protecting the data and privacy of all our users’ message from these updates. Not only did it sound robotic, but it was also pretty ironic considering the enormous amount of data it had just lost.



Data breaches make the headlines frequently – barely a day seems to pass without one being reported.

Incidents like that experienced by Canva serve as an important reminder that all companies need to be prepared for a data breach, particularly one involving sensitive customer data.

We can help customers prepare and put their plans to the test through our crisis communication training and crisis simulation exercises.



Find out more about preparing for a crisis by downloading our free crisis media management eBook. It includes a guide to helping you identify the right spokesperson, messaging templates and a risk register to help you identify your organisation’s vulnerabilities.


Media First are media and communications training specialists with over 30 years of experience. We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers. 

Click here to find out more about our highly practical crisis communication training.


Subscribe here to be among the first to receive our blogs.


comments powered by Disqus

Get in touch to discuss your training needs
0118 918 0530 or hello@mediafirst.co.uk or tell us how we can help