Michaels Crafts Artless Response to Customer Data Breach
Customers are no longer shocked to learn that some of their data might have been compromised in a security breach, as such events have become all too common. However, customers have expectations as to how brands should behave when their customers have been exposed, and Michaels scored somewhere in the neighborhood of C-minus. The company followed the playbook but didn't convey that it cared much.
Another retailer security breach, another national conversation about how these now regular occurrences need to stop. In the Michaels case, though, some of the talk touched on what by now should be remedial public relations. When you screw up and it affects your clients, apologize -- profusely and without hedging or reservation.
The hacked retailer du jour apparently was unaware of this rule, given the tenor of some of the comments in reaction to its handling of the breach.
Michaels last week revealed that approximately 2.6 million debit and credit cards may have been compromised by an attack on its computer systems that possibly lasted as long as seven months.
Its subsidiary, Aaron Bros., also was hit, with some 400,000 debit and credit cards hijacked.
Customer data such as card numbers and expiration dates were compromised -- but not, the retailer assured the public, customers' names, addresses or PINs.
Some of the causes of frustration with the retailer's report:
- The hack was made public in January by a security researcher, but Michaels did not address it until last Thursday;
- The attack on its systems apparently went undetected for many months;
- Michaels blamed the attack on "sophisticated malware" in its official explanation. The term irked a number of people, who saw it as a feeble excuse. "Are they even trying?" asked one online commenter.
Michaels has followed the now-familiar playbook of brands affected by a large-scale breach of security systems resulting in compromised customer data.
It provided data about potentially affected payment cards to the card companies so they could take appropriate action. It also offered identity protection, credit monitoring and fraud assistance services to affected Michaels and Aaron Brothers customers in the U.S. for 12 months free of charge.
The company outlined what it knew about the attack, saying that the affected systems contained certain payment card information, such as payment card number and expiration date, of both Michaels and Aaron Brothers customers -- but that there was no evidence that other customer personal information, such as name, address or PIN, was at risk.
Michaels did not respond to our request for further details.
Too Little, Too Late
Simply put, Michaels took too long to admit the data breach had occurred, said David Johnson, CEO of Strategic Vision.
"When an incident like this happens, the best thing is to be proactive and get as much information out as possible," he told CRM Buyer. "You will still take some hits but will get credit for being honest and informing customers and the public."
The company also erred by using a PR spokesperson, Johnson said. "In a crisis like this, the public expects the CEO to be front and center giving the bad news and explaining what went wrong and what went right."
Worst of all, "they are acting blasé on the impact, saying that no personal data was lost," he noted. Regardless of what happened to consumers, any hack is major -- and when a corporation downplays it, the public feels the corporation doesn't care."
It is not just Michaels that has mishandled the breach, Rajat Bhargava, CEO of JumpCloud, told CRM Buyer.
"Time and again, companies continue to fall short when it comes to handling a data breach," he said.
"From the moment a breach occurs, there is a narrative being written," Bhargava said. "You need to focus on who controls the story and your organization's reputation in the end. You need to both speak and act to inform those affected and then patch vulnerable parts of your infrastructure to ensure the incident is isolated and the result minimized."