Crisis communications: how not to do it…

Published: Friday, 04 September 2015 08:27

Matt Hodges-Long looks at the recent WHSmith ‘data breach’ story and explains how the retailer could have better handled its crisis communications.

At approximately 00:17 on September 2nd the well-known British retailer WHSmith started to erroneously email its customers email addresses and telephone numbers to other customers in its database. We don’t know when WHSmith were made aware of the problem but we do know that they started to receive @mentions via Twitter from around 8am. From that point the ‘data breach’ story went viral on social media and was soon picked up by the BBC and other mainstream news outlets.

So in the immediate few hours after the breach how did WHSmith deal with the crisis to protect its customers’ interests and its own corporate reputation? In a word: badly.

After a prolonged period of silence WHSmith management started briefing (to the traditional media) against a third party supplier called I-Subscribe: in effect they attempted to ‘pass the buck’. They also tried to split hairs by stating that they had not experienced a data breach but rather a ‘bug’. What they probably meant to say is that they were not hacked. Perhaps they should have looked at the ICO’s definition of a Data Breach: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.

At around 1pm on September 2nd WHSmith issued a statement on their Facebook page and cross linked it to their Twitter feed. Here is the post: “We have been alerted to a systems bug by I-subscribe who manage our magazine subscriptions. This is not a data breach. We can confirm that this has impacted 22 customers. I-subscribe have immediately taken down this online form and are contacting the customers concerned to apologise for this administrative error. This issue has not impacted or compromised any customer passwords or payment details.”

This statement is probably one of the worst ‘official’ statements I have come across, and in my view is way below what could pass as acceptable from a Plc with a brand to protect, here is why:

Based on my experience of planning for and managing crisis events this situation bears all the hallmarks of poor communication and behind the scenes panic within WHSmith. The behaviour of WHSmith is entirely typical of a company that has not planned for such a scenario and does not have adequate crisis management processes in place (I hope I am wrong about this assumption).

So what should WHSmith have done (aside from taking down the offending Contact Us form):

For an example of how a CEO of a listed company should behave in a crisis situation, take a look at how Merlin plc CEO Nick Varney communicated after the tragic Alton Towers incident.

The author

Matt Hodges-Long is the managing director of Continuity Partner, the world’s first managed business resilience service. Prior to launching Continuity Partner Matt designed, launched and ran the Workplace Recovery division of Regus plc across 100 countries. Contact Matt at