M&S, a legacy retailer that has more than 1,000 stores across the UK, appears to have suffered the most significant damage from . Bank of America analysts estimated that the company has lost more than in weekly sales since the incident began over the Easter bank holiday weekend.
As a precaution, the retailer was reported to have many IT operations, effectively locking itself out of its core systems as it tried to address the incident.
And then the situation worsened. M&S acknowledged that the , including names, dates of birth, telephone numbers, home and email addresses, and online order histories, had been stolen. However, the retailer insisted that the data theft did not include usable card, payment or login information.
There are logical reasons why M&S may have opted for the cautious approach. It did not wish to create more panic and anxiety among customers. It preferred to tackle the issue covertly while the outcome was pending. It did not want to be seen as digitally incompetent. Of course, this reasoning is only speculative.
That said, M&S’s approach to managing the incident has raised questions from a branding perspective.
First, how long has the retailer been aware of the attack? And, more importantly, how long did it wait to share news of the data theft with its customers and the public?
suggests that brands that are prompt and transparent in disclosing a hack, notifying the affected customers and communicating the potential implications for their privacy, are more likely to win consumer trust. It is better for brand image than those that opt for a “wait-and-see” or “drip-drip” approach.
In 2016, US IT firm was slapped with lawsuits after it announced a hack. The company’s stock price plunged amid fears that a data breach could derail its pending merger with Verizon Communications, set to be worth US$4.8 billion (£3.6 billion).
But the lawsuits and the market’s adverse reaction were less about the data breach and more about Yahoo’s delayed actions. It involuntarily announced the data breach when the hacker attempted to sell the stolen user data online. Yahoo reportedly two years previously but did not warn its users and stakeholders. An internal review later found that the company had on the knowledge it had.
<̽ѡ>Bring in the marketersSecond, does M&S need to do more than simply assure its customers that no usable payment or login information was stolen? Other personal data like date of birth, home and email addresses did get hacked, and are useful for criminals to commit .
A prudent retailer will do more than follow the laws and regulations, it can take a more in protecting its customers’ welfare after a cyberattack. has highlighted the strategic value of involving marketers – either in-house or an external PR firm – in protecting consumer data and responding to breaches.
The authors of the study stated that a marketer’s remit typically involves working with people from different backgrounds across all departments of a firm. This enables them to facilitate talks and negotiations between the relevant people, from company lawyers, tech experts, and security officers, to those overseeing investor relationships and the CEO managing the board relationship.
Being focused on , even in times of deepening crisis, marketers instinctively think about the benefits and barriers experienced by consumers.
Talking points between the company’s departments should focus on moral, as well as legal, options for protecting consumer data. Communications should consider the negative effect of the crisis on consumers, beyond the firm stressing its victimhood and seeking sympathy.
Marketers can put the consumer’s point of view front and centre. They can highlight issues that others in the business may not consider, such as who drafts consumer communications, how messages are communicated and monitored, and how consumers can reach out to the brand to seek or offer help.
At the end of the day, M&S has been the victim of a crime. Known as a , a data breach is instigated exclusively by criminal actors. The way and pace at which M&S has communicated the data theft to its customers could potentially leave it open to criticism, however.
The issue of when the retailer learned about the theft versus when it decided to share the information with its customers remains unclear. Also uncertain is how much personal data was taken, whether this includes any profiling data the retailer conducted on customers (things like their purchase frequency, coupon redemption and product choices). It should also share any plans it is devising to tackle potential identity thefts.
M&S’s current crisis management activities could seem to be about preserving its bottom line while arguably the focus should be on caring for customers. As a legacy retailer which is nearly 141 years old, M&S can do better than following the typical “let me tell you” approach. This is where communication flows in one direction only and is pushed out on to the public, and is what M&S in response to the attack.
Instead, it should consider the more transparent “let’s work together” approach. This may promote better customer trust and brand image, allowing M&S to seek customer cooperation (things like reporting unusual emails or misinformation where a may identify a meaningful pattern). This could help to spot data breaches and criminal activities like identity theft and fraud.
, Senior Lecturer in Marketing; Associate Head (Global),
This article is republished from under a Creative Commons license. Read the .
