In this week’s bulletin, Charlie discusses Marks and Spencer’s and Co-op’s recent cyber incidents, and rates their communications to customers.
I have been abroad for the last two weekends, first playing at the Majorca Beach Rugby Tournament, and then watching the Glasgow Warriors, with the NCSC conference in Manchester in between. As a result, there has not been much time for listening to or watching the news. I am aware of the Co-op and M&S cyber attacks, but have not followed them in detail. Since I am delivering a two-day cyber course next week, I thought I should write something on the attacks. So, for this week’s bulletin, I thought I would comment on and contrast each company’s initial communications to those affected by their data breach. I also have not read the comments made by others about their communications, so I approach this bulletin with an open mind rather than being swayed by prior opinions.
I find the best practice when writing personally to customers, by letter or email, is to ensure the following points are covered:
- Communicate within an appropriate timeframe.
- Acknowledge the incident and take responsibility for it at a senior level.
- Summarise the situation.
- Provide an explanation of any potential impact on customers, along with actions those affected should take.
- Information on a possible data loss.
- Include information on the steps are you taking to deal with the situation.
- Use a tone that reflects empathy, accountability, and emotional intelligence, and is personal to the recipient.
- Give information on when updates will be given.
- Give directions on where to find further information or how to contact the organisation.
I have copies of the initial letters sent from the organisation: one sent to Kim, my wife, who has an M&S account, and one sent to me as a Co-op member. The slight irony of being a Co-op member is that I have been going to the local Co-op for the last 20-plus years, and only in the last two months did I become a member!
| Number | Criteria | M&S Letter | Co-op Letter |
| 1 | Communicate within an appropriate timeframe | · The letter was sent on the 2nd May which was approximately 10 days after the incident had become public. I personally think this was a bit slow, but better than Travelex, when the CEO took 3 weeks to get round to making a video message to communicate with his customers. | · The letter was sent 7 days after the attack which I think is a reasonable time to wait to send it. |
| 2 | Acknowledge the incident and take responsibility for it at a senior level | · The CEO signed off the letter, showing that they are taking responsibility for the incident. · The second line of the email acknowledges that they had suffered a cyber attack, not a technical glitch, as some communication from other organisations have announced during their cyber incident. · There is no information about the hackers which is slightly unusual. In other communications I have read, they usually refer to the hackers as ‘international and sophisticated criminals’, and they are ‘working with law enforcement and the NCSC’. There is no mention of this at all. | · The email, like M&S’, was signed by the CEO. · Incident is acknowledged. Describing the criminals who carried out the attacks as ‘highly sophisticated’ is a common tactic used by many organisations in communications after cyber incidents. They are using the strategy of ‘Diminish’ & ‘Bolstering (Victimage)’. They are attempting to reduce the organisational responsibility by highlighting the external nature and sophistication of the threat and positioning the company as a victim of a crime and appealing for empathy. · Have a look at Coombs’ Situational Crisis Communication Theory (SCCT) if you would like more to learn more about the different strategies which can be used to frame an organisation’s crisis communications. |
| 3 | Summarise the situation | · They have not made it clear what is affected and what is not, they have just mentioned ‘not the service you expect from M&S’. I think they should have said that click and collect is affected but all services are otherwise available. | · As with M&S, they have not said what the impact of the cyber attack is and how it might affect customers. I can understand not wanting to tell the hackers what the impact is, but in the Co-op’s case, some of the impacts are obvious, such as empty shelves. Again, I think companies could be more upfront about the impact of the hack on their delivery of services. |
| 4 | Possible impact on customers and any actions those affected should take | · No mention of any actions customers should take to protect themselves. | · There is no mention on the impact of the loss of data on customers. |
| 5 | Information on a possible data loss | · If 94% of ransomware attacks data is exfiltrated, M&S should have known that it is likely that data has been exfiltrated. There is no mention of data in the email and any actions customers should take to protect themselves. I personally think this is a serious oversite and verging on being dishonest. | · “We have established that the cyber criminals were able to access a limited amount of member data.” – this was not true. On 2nd May, the company was aware that a substantial amount of data had gone missing. This is not what the letter said. There is nothing in the letter about the details of the data which had been lost. There is a link to the NCSC site ‘Data breaches: guidance for individuals and families’, but they have not made it obvious that you should go to the NCSC site for information on how to protect yourself. |
| 6 | What steps are you taking to deal with the situation | ‘Our teams are doing the very best they can’, I think this could be a bit stronger and really show that the teams are working around the clock to deliver service to their customers and restore company systems. | · They talk about the work staff are doing to look after the company and their customers. |
| 7 | Be written with empathy, accountability, and emotional intelligence and be personal to the person receiving it | · The letter was addressed to my wife personally using her first name which could be seen as overly-familiar, but on the other hand, is sometimes on their database. M&S may not have collected the information on whether she is a Mrs or a Ms. Getting this wrong, and addressing a customer incorrectly, could cause further upset and could lead to a negative media story. · I think the overall tone of the letter is a bit simplistic, and I feel the language is almost childlike. I believe they are empathetic to their clients and apologise in the first line of the letter. · I find it a bit odd that the CEO has advertisements at the bottom of their email, especially for services the public can’t use, as their onsite services are not available. | · The email was addressed to me personally: “Dear Charlie”. · The letter talks about being open with customers regarding the position the company finds itself in. I feel from the letter that it is quite empathetic, and it is genuine that the staff are working hard to remedy the situation. · I do feel the communications are a bit more about the impact on the Co-op, rather than on its customers. |
| 8 | Give information on when updates will be given | · The letter says ‘we will continue to keep you updated’, but I think better practice would be to give a timescale, or refer them to the website to check for further information. | · ‘The letter says ‘I will be back in touch as soon as possible’, but does not give a specific time on when the next update will be provided. |
| 9 | Where to find further information or how to contact the organisation | · I think there is a missed opportunity to refer them to the website where they can find further information. There is also no means given to contact the company if further information is needed. | · There is a link to Q&As on the incident on company website. This is good practice. |
| 10 | Conclusion | I feel this is an OK letter, but really goes through the motions of getting communications out rather than a true empathetic heartfelt letter. I also feel that the lack of mention of a possible data breach was a mistake. The letter does feel human and not over-lawyered, and according to AI, it wasn’t written by AI! I would give the M&S letter 6 out of 10. | This letter tries a bit more than M&S to deal with the issues and is a little more empathetic. It does mention the data breach which is good, but it plays it down, and doesn’t give details of what has happened. I think overall they are trying to downplay the incident. As with M&S letter, I would give the Co-op letter 6 out of 10. |
Click here to view the full M&S email.
Click here to view the full Co-op email.
