Successful Crisis Management: The Evernote Hack
As data theft is on the rise it must be assumed that sooner or later, if you have data someone wants, your systems WILL most likely be compromised. It is important to put up strong defenses but it is even more critical you have a crisis management plan when things go wrong.
With social media comes a whole new set of rules for your organization’s crisis communications and crisis management. We’re often given opportunities to learn about social media crisis management through the highly visible fallout from the experiences of others. How a company takes action and manages a hard-hitting crisis often gives customers a more honest insight at how they are run than any meticulously crafted press release could.
Evernote Crisis Management
Evernote, the online note taking service, suffered a serious security breach in March 2013 involving the theft of usernames, email addresses and encrypted passwords of up to 50 million users. Luckily, no payment details were stolen, and according to the company the hackers were not able to access notes that users had stored on the Evernote service. So, how did they manage the crisis and what lessons can be learned?
What went well? Open Communication
Almost immediately, Evernote communicated with their users on Twitter, through a blog post and an email stating that their security team had “discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.” They also suggested all users reset their Evernote account passwords.
They advised users to choose a strong password and to be suspicious of reset password links sent to users via email. They also advised users to ensure that they did not use the same password on multiple sites. Within 24 hours they had updated (at least their Apple iOS app) to focus everyone on resetting their password.
Attentive Evernote reps responded to irate users on their site and carefully explained what was happening throughout the process. Some users praised the company for their transparency and timely communications and voiced their support. However, many complained they didn’t receive the notification email because they no longer had access to the email account they used to sign-up with the service.
Lessons Learned: What could have been handled better?
Although there was a blog post on the Evernote website, nothing was actually posted on the Evernote homepage. There was also an evident lack of post-hack communication.
A week after the event, there had been no blog update or further emails about what had happened, what they had subsequently done to improve security, or any attempt to diffuse the on-going comments. Initially many users asked about implementing two-factor authorization, used by Google to provide extra security for its users. However there was no immediate response. Evernote should have answered any FAQs and taken the opportunity to welcome feedback from users, making their crisis communications a two way process, which is often the best way to learn and adapt.
Do you have a crisis management plan in place? and if the answer is NO, it is about time you put one in place !