In the wake of major cyberattacks, how have M&S and Co-op handled their crisis comms, and how have approaches evolved?
Nothing provides a more useful indication of consumer sentiment than sales figures, and the latest for cyberattack victims M&S and Co-op came this week.
While M&S is adamant shopping in-store has returned to normal since the cyberattack in April, the figures clearly tell of wind lost from its sails. Its grocery sales were up 6.5% year on year in the 12 weeks to 13 July, according to Kantar – still good, but a long way from its stellar 14.4% growth just before the cyberattackers struck [12 w/e 20 April].
Co-op sees Kantar’s take-home methodology as an incomplete gauge, arguing it ignores 30% of sales. Still it’s hard to ignore the data. Its sales were down 3.7% year on year in Kantar’s latest market update, compared with 1.9% growth just before the attack in April.
But as we’re beginning to see the fallout, what are the communications that have influenced them? How have their approaches evolved? And who is handling the PR crisis better?
“The first response is the one that sticks in people’s minds and sets the tone for the rest of the strategy,” says Truth PR MD Lisa French.
M&S broke the news of the “cyber incident” to the stock market and customers the same day – the first working day after discovering the attack over the Easter bank holiday weekend. The email to customers was from CEO Stuart Machin, signed with a handwritten ‘Stuart’.
Co-op was slower to contact customers directly about the cyberattack, telling the press first five days after discovering the attack. It was nearly a week after the news broke that it contacted members, in an email signed by group CEO Shirine Khoury-Haq (see timeline).
Proactive and reactive
“M&S’s communications were much more proactive,” says Tricia Fox, founder of marketing agency Cunningly Good Group. “Co-op’s comms have been more drawn out of them. It was a more haphazard, reactive response.
“M&S’s initial communication was more personalised, signed ‘Stuart’ by the CEO. That says ‘I’m a human’. It’s more grounded. Co-op simply communicated less [directly with customers].”
Hayley Goff, CEO of Whiteoaks International, notes that significant developments were revealed in press releases. “Co-op posted official updates through its [corporate] website, which in reality is not where the majority of customers are likely to find themselves”.
M&S v Co-op: crisis management timeline
19 April: M&S becomes aware of attack.
22 April: M&S informs stock market and customers of the ‘cyber incident’, in an email from CEO Stuart Machin.
25 April: Initial attack on Co-op takes place. Retailer sees malicious activity in hacked colleague account.
30 April: Co-op goes public, informing the press it has shut down part of its IT estate after detecting the attack. Severe disruption to availability in stores follows.
2 May: Co-op tells the press hackers accessed data “relating to a significant number” of members, not including card payment details.
5 May: Co-op sends first message direct to members, from group CEO Shirine Khoury-Haq.
13 May: An email from M&S’s director of central operations Jayne Wall tells customers their data has been stolen, not including card payment details. Shoppers with online accounts are asked to change their password.
13 May: A Co-op leaked note to suppliers says orders for ambient, fresh, and frozen will resume the following day.
5 June: Khoury-Haq says in a LinkedIn post that systems are “now stable” and the retailer is making “significant progress towards a full and complete recovery”. She says there is “still work to do to unwind the operational and technical impacts of the actions we had to take to block the criminals” but that food stores are now well stocked.
21 May: M&S chief Stuart Machin says in a trading update that disruption to online orders will continue through June and July.
26 May: Machin tells The Mail on Sunday it’s “an incident, a setback, a bump in the road”, but not a crisis.
10 June: M&S online orders resume for some clothing lines in some regions.
18 June: Co-op offers members £10 off a minimum shop of £40 to make up for the disruption. Offer runs for a week.
W/C 23 June: M&S sends e-gift cards to customers who had an online order cancelled or delayed after the cyberattack.
8 July: Co-op group secretary and general counsel Dominic Kendal-Ward tells MPs a Business & Trade Select committee the retailer did not pay a ransom. “Within hours we had detected [the attack]. We had set up our continuity processes, and in doing so managed to prevent deployment of.”
8 July: M&S chairman Archie Norman refuses to say whether the retailer paid a ransom when asked by the same committee. He says M&S will still be working behind the scenes to rebuild systems until October.
16 July: Co-op confirms data of all 6.5 million members was stolen. Khoury-Haq tells BBC Breakfast she is “incredibly sorry”.
17 July: M&S confirms rewards have returned in the Sparks app. Customers who missed birthday treats in May and June belatedly receive them.
Evolving the conversation
As the weeks have progressed, M&S has also been canny at changing the conversation, grabbing attention in headlines and social media with other activity – not least its viral Strawberry & Creme sandwich, says Fox.
A simple Google news search can be a useful indicator of how a brand is doing at crisis management. “If you search for Co-op now, the top story is ‘Co-op boss says sorry to 6.5 million people’,” she says. “If you do the same for M&S you’ll get a very different set of results, not necessarily about the cyberattack.”
M&S’s distractions have also included inventing a ‘national picky bits day’ on 27 June, and launching 100 new summer food lines the same month.
All that said, the Khoury-Haq interview that Fox finds at the top of her search results is one that has changed perceptions of Co-op’s handling of the crisis in the eyes of PR experts, and no doubt those of many shoppers.
Interviewed on BBC Breakfast on 16 July, Khoury-Haq made no attempt to minimise the episode. Asked by presenter Jon Kay whether customer data was now safe, Khoury-Haq said: “Their data was copied, so the criminals did have access to it, like they do when they hack other organisations.”
Asked if she was saying sorry to customers over the data breach, she said: “I am incredibly sorry… It’s awful.
“I’m devastated that that information was taken. I’m also devastated by the impact that it took on our colleagues as they tried to contain all of this.
“Early on I met with our IT staff and they were in the midst of it. I will never forget the looks on their faces, trying to fight off these criminals and protect our members’ data and our organisation as well… that will never leave me.
“It’s not about me, it was colleagues,” she added. “It’s personal to me because it hurt them, it hurt my members… and it hurt our customers.”
In a further sign of a more positive and less reactive approach, Khoury-Haq also revealed that Co-op was partnering with The Hacking Games, a UK-based social impact business that aims to prevent cybercrime by identifying young cyber talent and channelling their skills into legal career paths.
“She was amazing,” says Kate Hartley, co-founder of Polpeo and author of Communicate in a Crisis.
“She takes it very personally but she doesn’t put herself at the centre. She was very clear that it’s ‘awful’ – she uses that word. She doesn’t downplay it. She showed enormous empathy. She was sitting on a sofa and seemed relatable, trustworthy.”
Hartley contrasts this tone with the evolving messaging at M&S.
“I think Stuart Machin has been a little bit in danger of making it about himself more recently,” she says.
She points to an interview Machin gave the Mail on Sunday on 25 May. “There was a photo of him having a meal with Joan Collins and Christopher Biggins, which I don’t think did him any favours. Apparently [Joan] was shopping for snacks in M&S.”
Machin tells the newspaper: “I wouldn’t call it a crisis – that is too dramatic. [It is] an incident, a setback, a bump in the road, a disruption.”
Hartley says: “I worry he’s diminishing the impact it’s had on customers by minimising it.”
Minimising may appeal to shareholders, but it is not looking through the same lens as customers whose data has been stolen, Hartley says.
Not terribly helpful
Another thing that is “not terribly helpful for M&S” is the revelation in its annual report in May that Machin’s pay package rose by nearly 40% to £7.1m in the year to 30 March, just before the crisis began. His deferred performance share plan awards – which make up 64% of his total pay and are tied to both performance and future share price – rose from £2.6m to £4.6m.
“Of course, he’s presided over a huge period of growth at M&S and the cyberattack has nothing to do with it, but there is going to be a lot of analysis in the weeks to come about his salary and bonuses,” says Hartley.
Such analysis may bring attention to a fundamental difference in the ownership structure of the two retailers, one which was noted by Co-op general secretary Dominic Kendal-Ward when he addressed a Business & Trade Select sub-committee in July.
“We are a member-owned organisation,” he said. “Whilst we have… some market obligations, we don’t have listed shares so we don’t have quite the same considerations around communications to investors.
“Our owners are the same people who are shopping with us and who are impacted.”
So what’s the verdict? The various PR experts The Grocer approached were split over who has made the best of the crises.
Truth PR’s French says: “M&S started on a better foot, but Co-op improved its communications as the events unfolded. For that reason, I don’t think either will see a significant decline in customer confidence.
“I think it just needs to be reflected on as a learning experience. Crisis comms situations should be stress-tested alongside security tests, and I’m sure other retailers will consider that going forward.”
No comments yet