how can retailers regain customers’ trust after a hack? A marketing expert explains

Several big British retailers have been in the news recently – but not for buoyant sales or new product launches. Firms like Marks & Spencer and Co-op have been hacked, affecting online sales and the range of products available in-store, and forcing them to apologise to customers and other stakeholders. Luxury retailer Harrods^[1] also suffered a near-miss.

M&S, a legacy retailer that has more than 1,000 stores across the UK, appears to have suffered the most significant damage from its cyberattack^[2]. Bank of America analysts estimated that the company has lost more than £40 million^[3] in weekly sales since the incident began over the Easter bank holiday weekend.

As a precaution, the retailer was reported to have shut down^[4] many IT operations, effectively locking itself out of its core systems as it tried to address the incident.

And then the situation worsened. M&S acknowledged that the personal data of customers^[5], including names, dates of birth, telephone numbers, home and email addresses, and online order histories, had been stolen. However, the retailer insisted that the data theft did not include usable card, payment or login information.

There are logical reasons why M&S may have opted for the cautious approach. It did not wish to create more panic and anxiety among customers. It preferred to tackle the issue covertly while the outcome was pending. It did not want to be seen as digitally incompetent. Of course, this reasoning is only speculative.

That said, M&S’s approach to managing the incident has raised questions from a branding perspective.

First, how long has the retailer been aware of the attack? And, more importantly, how long did it wait to share news of the data theft with its customers and the public?

Research^[6] suggests that brands that are prompt and transparent in disclosing a hack, notifying the affected customers and communicating the potential implications for their privacy, are more likely to win consumer trust. It is better for brand image than those that opt for a “wait-and-see” or “drip-drip” approach.

In 2016, US IT firm Yahoo^[7] was slapped with lawsuits after it announced a hack. The company’s stock price plunged amid fears that a data breach could derail its pending merger with Verizon Communications, set to be worth US$4.8 billion (£3.6 billion).

But the lawsuits and the market’s adverse reaction were less about the data breach and more about Yahoo’s delayed actions. It involuntarily announced the data breach when the hacker attempted to sell the stolen user data online. Yahoo reportedly learned of the breach^[8] two years previously but did not warn its users and stakeholders. An internal review later found that the company had “failed to act sufficiently”^[9] on the knowledge it had.

Second, does M&S need to do more than simply assure its customers that no usable payment or login information was stolen? Other personal data like date of birth, home and email addresses did get hacked, and are useful for criminals to commit identity theft^[10].

A prudent retailer will do more than follow the laws and regulations, it can take a more customer-centric, moralistic approach^[11] in protecting its customers’ welfare after a cyberattack. A study^[12] has highlighted the strategic value of involving marketers – either in-house or an external PR firm – in protecting consumer data and responding to breaches.

The authors of the study stated that a marketer’s remit typically involves working with people from different backgrounds across all departments of a firm. This enables them to facilitate talks and negotiations between the relevant people, from company lawyers, tech experts, and security officers, to those overseeing investor relationships and the CEO managing the board relationship.

Being focused on customer experience^[13], even in times of deepening crisis, marketers instinctively think about the benefits and barriers experienced by consumers.

Talking points between the company’s departments should focus on moral, as well as legal, options for protecting consumer data. Communications should consider the negative effect of the crisis on consumers, beyond the firm stressing its victimhood and seeking sympathy.

Marketers can put the consumer’s point of view front and centre. They can highlight issues that others in the business may not consider, such as who drafts consumer communications, how messages are communicated and monitored, and how consumers can reach out to the brand to seek or offer help.

At the end of the day, M&S has been the victim of a crime. Known as a “victim crisis”^[14], a data breach is instigated exclusively by criminal actors. The way and pace at which M&S has communicated the data theft to its customers could potentially leave it open to criticism, however.

The issue of when the retailer learned about the theft versus when it decided to share the information with its customers remains unclear. Also uncertain is how much personal data was taken, whether this includes any profiling data the retailer conducted on customers (things like their purchase frequency, coupon redemption and product choices). It should also share any plans it is devising to tackle potential identity thefts.