Matt Hodges-Long looks at the recent WHSmith ‘data breach’ story and explains how the retailer could have better handled its crisis communications.
At approximately 00:17 on September 2nd the well-known British retailer WHSmith started to erroneously email its customers email addresses and telephone numbers to other customers in its database. We don’t know when WHSmith were made aware of the problem but we do know that they started to receive @mentions via Twitter from around 8am. From that point the ‘data breach’ story went viral on social media and was soon picked up by the BBC and other mainstream news outlets.
So in the immediate few hours after the breach how did WHSmith deal with the crisis to protect its customers’ interests and its own corporate reputation? In a word: badly.
After a prolonged period of silence WHSmith management started briefing (to the traditional media) against a third party supplier called I-Subscribe: in effect they attempted to ‘pass the buck’. They also tried to split hairs by stating that they had not experienced a data breach but rather a ‘bug’. What they probably meant to say is that they were not hacked. Perhaps they should have looked at the ICO’s definition of a Data Breach: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.
At around 1pm on September 2nd WHSmith issued a statement on their Facebook page and cross linked it to their Twitter feed. Here is the post: “We have been alerted to a systems bug by I-subscribe who manage our magazine subscriptions. This is not a data breach. We can confirm that this has impacted 22 customers. I-subscribe have immediately taken down this online form and are contacting the customers concerned to apologise for this administrative error. This issue has not impacted or compromised any customer passwords or payment details.”
This statement is probably one of the worst ‘official’ statements I have come across, and in my view is way below what could pass as acceptable from a Plc with a brand to protect, here is why:
- No ownership: WHSmith have once again sought to ‘pass the buck’ to I-Subscribe despite the breach occurring from within a WHSmith branded environment. In addition the statement is anonymous, at the time of writing no member of the WHSmith senior management team has made an official statement.
- Timing: WHSmith took over five hours to make a ‘statement’ on the subject despite it trending on social media.
- Data breach: WHSmith reassert the notion that this was not a data breach. Whether it was or was not will become apparent in the fullness of time. It is interesting to note that the Information Commissioners office have confirmed that they are aware of the situation and are investigating.
- Trivialisation: WHSmith sought to downplay the seriousness of the incident by stating that only ’22 customers’ were impacted. This is not really the point when the genie has escaped the bottle and the story has gone viral.
Based on my experience of planning for and managing crisis events this situation bears all the hallmarks of poor communication and behind the scenes panic within WHSmith. The behaviour of WHSmith is entirely typical of a company that has not planned for such a scenario and does not have adequate crisis management processes in place (I hope I am wrong about this assumption).
So what should WHSmith have done (aside from taking down the offending Contact Us form):
- Communicate clearly and early: it was clear from social media posts and screen shots that a serious and potentially reputationally damaging event had occurred. WHSmith should have issued an immediate statement (across all channels) to acknowledge that they were aware of the issue, all resources were being deployed to resolve the issue and a further statement would be issued in due course. This should be a pre prepared statement that is embedded within a rehearsed crisis management process.
- Accept responsibility: regardless of where the legal liability is ultimately proved to sit, it is the WHSmith brand that is being associated with a very high volume of negative sentiment. Passing the buck to a small supplier that very few people have heard of, completely misses the point. WHSmith should also have put forward a member of the senior management team (ideally the CEO) to make a public commitment to containing, resolving and investigating the situation.
- Don’t trivialise: whether the breach affected 1 or 1 million customers is largely irrelevant. For the individuals who have had their personal information broadcasted to strangers it is of no comfort to know that they were one of a small number. Also making a public statement that “This is not a data breach” should be left to the Information Commissioner to decide.
- Say sorry: alongside accepting responsibility for the incident, don’t be afraid to say sorry. WHSmith appear to have delegated saying sorry to their supplier!
For an example of how a CEO of a listed company should behave in a crisis situation, take a look at how Merlin plc CEO Nick Varney communicated after the tragic Alton Towers incident.