Several big brands and retailers have been in the news recently – but not for buoyant sales or new product launches. Companies like Marks & Spencer, Harrods, Cartier, the North Face, Victoria’s Secret, Christian Dior, and adidas have been targets of a data breach, forcing them to alert – and apologize to – customers and other stakeholders, and in some cases, affecting online sales and the range of products available in-store.
M&S, a legacy retailer that has more than 1,000 stores across the United Kingdom, appears to have suffered some of the most significant damage from its cyberattack. Bank of America analysts estimated that the company has lost more than £40 million in weekly sales since the incident began over the Easter holiday weekend. And according to the Guardian, “More than £1.2bn has been wiped off the value of M&S since it first admitted it had been targeted by hackers amid investor concerns about the financial hit from legal action as well as lost sales from the closure of its website and low availability of some products in stores.”
The incident appears to have gotten its start in April when, as a precaution in response to what turned out to be a ransomware attack, the retailer reportedly shut down many IT operations, effectively locking itself out of its core systems as it tried to address the incident. However, despite such action by the retailer, the “sophisticated nature of the incident” meant that thousands of customers’ personal data had been breached, with M&S acknowledging that customer names, dates of birth, telephone numbers, home and email addresses, and online order histories, had been stolen. The retailer insisted that the data theft did not include usable card, payment, or login information.
Logistical Reasons, Consumer Questions
There are logical reasons why M&S may have opted for the cautious approach, including its lockdown of the core M&S digital system and consumer-facing e-commerce capabilities along with it. In a likely effort to avoid panic and anxiety among customers, it opted to tackle the issue covertly while the outcome was pending. That said, M&S’s approach to managing the incident has raised questions from a branding perspective.
First, how long has the retailer been aware of the attack? And, more importantly, how long did it wait to share news of the data theft with its customers and the public?
Research suggests that brands that are prompt and transparent in disclosing a hack – by notifying the affected customers and communicating the potential implications for their privacy – are more likely to win consumer trust. It is better for brand image than those that opt for a “wait-and-see” or “drip-drip” approach.
In 2016, Yahoo was slapped with lawsuits after it announced a hack. The company’s stock price plunged amid fears that a data breach could derail its pending merger with Verizon Communications, set to be worth $4.8 billion. But the lawsuits and the market’s adverse reaction were less about the data breach and more about Yahoo’s delayed actions. It involuntarily announced the data breach when the hacker attempted to sell the stolen user data online.
Yahoo reportedly learned of the breach two years prior but did not warn its users and stakeholders. An internal review later found that the company had “failed to act sufficiently” in light of the knowledge it possessed.
Bring in the Marketers
Another critical question: Does M&S need to do more than simply assure its customers that no usable payment or login information was stolen? Other personal data like date of birth, and home and email addresses was accessed, and can be useful for criminals to commit identity theft.
A prudent retailer will do more than simply meet the mandatory legal and regulatory requirements in the wake of a data breach; it can also take a customer-centric, moralistic approach in protecting its customers’ welfare after a cyberattack. A study published by the Journal of Advertising Research highlights the strategic value of involving marketers – either in-house or via an external PR firm – in protecting consumer data and responding to breaches.
In that study, authors Kimberly A. Whitler and Paul W. Farris argue that many companies handle breaches reactively, and rely almost exclusively on legal and IT teams, ignoring marketing experts, who are essential to preserving brand trust and consumer relationships. To better protect brand image and consumer trust, they assert that marketers, as stewards of the brand-consumer relationship, should play a central role in crisis response to data privacy events to ensure that communication remains consumer-focused and trust-preserving.
Specifically, Whitler and Farris focus on the disconnect between legal strategies (which center on minimizing liability) and marketing strategies (which aim to maintain consumer loyalty and brand equity). They note that delayed or poorly crafted communication – often written in “legalese” – can damage consumer trust more than the breach itself. With this in mind, the authors call for marketers to be proactively involved in breach planning, including developing response protocols, participating in cross-functional crisis teams, and leading post-breach communications.
More fundamentally, they encourage companies to integrate marketing into cybersecurity strategy can help minimize financial losses, reputational damage, and long-term consumer fallout, ultimately preserving the brand’s value.
Preserving More than the Bottom Line
Finally, the issue of when a retailer learned about the data theft versus when it decided to share the information with its customers is critical – and in the case of M&A, the answer remains unclear. Also uncertain in M&A’s case is how much personal data was actually taken, whether this includes any profiling data the retailer conducted on customers (things like their purchase frequency, coupon redemption and product choices).
Best practices for retailers in the midst of a breach-related PR crisis also include sharing any plans the company is devising to tackle potential identity thefts as a result of the breach.
M&S’s current crisis management activities could seem to be about preserving its bottom line when the focus should arguably be on protecting its customers. Instead of crafting communications that flow in one direction only and are pushed out from the target company to the public, which appears to be what M&S has done in response to the attack, companies would be better served to consider the more transparent “let’s work together” approach.
This may promote better customer trust and brand image, allowing breach-targeted companies to seek customer cooperation (things like reporting unusual emails or misinformation where a critical mass may identify a meaningful pattern). This could help to not only spot data breaches and resulting activities like identity theft and fraud but may enable companies to maintain – or even amass – goodwill in the face of crises over stolen data.
Kokho Jason Sit is a Senior Lecturer in Marketing and the Associate Head (Global) at the University of Portsmouth.
Share
