How did Evernote handle the hacking crisis?

This is the second piece for the drum and first in a series. Posted last week here: . The next one should be live on the Drum later today.

Leadership in this digital age comes with plenty of new challenges. Business decisions that in the past would have been easy to predict and manage, have become a lot more complex in the ‘always on’ world we now live in.

‘We won’t make a drama out of a crisis.’ Well you might not, but consumers can and will given half a chance. Social media makes it not only easy for us to engage our customers, but it’s also made it easy for them to tell you, and everyone else, what they think. Especially when things go wrong.

Over the coming weeks we will try to reverse engineer the reasoning behind of some of these decisions, and with your help look at whether the approach stands up to scrutiny, and what can learn from it.

What’s the story?

Hacking is one of the most misused and ubiquitous terms on the net. There are plenty reasons why people do it, and not all of them are malicious. However this weekend, one of the more respected online services Evernote was ‘properly’ hacked, and hence is as good a place to start as any. Nobody barring the hackers themselves know exactly the scope of the damage, but from reading the company’s response it sounds like significant amounts of data was acquired, especially since we (as a whole) still tend to use the same passwords for multiple online services.

However before going public, management were faced with some difficult decisions to make. How do we?

  • Be open, but prevent panic
  • Lose as few customers as possible
  • Prevent long-term damage to brand

What went well?

On March 2nd at 6 a.m. Evernote tweeted and provided a link which explained clearly and concisely that they had been hacked, why they were taking precautions, and threw in a bit about best-practice when it comes to creating passwords. Within twenty-four hours they had updated (at least their Apple iOS app) to focus everyone on resetting their password. And they have for the most part been open, upfront and conciliatory. 

As you can imagine there were a fair number of irate folk on their site. A nice chap called Andrew from Evernote carefully explained what was happening and was attentive when responding to users. Meanwhile co-worker Stefanie, who would probably have failed the Turing test, simply repeating the same statement ad nauseam.

About 10% of the posts on the blog were ‘stop whining they are doing their best’.

About 30% complained they didn’t get the notification email because they no longer had access to the email account they use to sign-up with service! While some folk might have been less diplomatic (including me), many of Evernote’s supporters redirected the hard of thinking to the company’s support page.

The rest were split between helpful suggestions and ‘I’ll never use you again’.

What could have been handled better?

There was no communication on the Evernote homepage itself (and if they did the users certainly didn’t find it). That’s a no brainer – it costs nothing to do and saves a lot of aggravation from those whose sole purpose in life is to complain. There is currently a reference to the original email however it talks about ‘resetting your password’ as opposed to ‘we’ve been breached, find out more’.

Initially many users asked about implementing two-factor authorisation, which Google uses to provide extra security for its users, although precious few people seem to use it apparently.  There was no immediate response on the blog. It’s a fair question that a simple ‘we’re looking into it – thanks for the great suggestion!’ would have gone a long way to help. By the end of the first week they had come out in public saying that this was now a top priority.

As of Friday 7th of March there has been no blog update or any further emails about the ‘event’. I appreciate they are no doubt busy trying to understand what happened. But it would make sense to create a new post explaining; what they have subsequently done to improve security, answered some FAQ questions, and actually diffused any on-going comments. Having said that the majority of comments and complaints dried up after two days, which is pretty good going frankly.

Reverse engineered strategy

Be honest, transparent, and really, really fast.


Empower your staff to:

  1. Establish and communicate the severity as best you know it – immediately (ideally via Twitter)
  2. Reiterate and reassure using language that is as human and as easy to understand as possible
  3. Allow people to comment where possible and have somebody standing by to answer questions. Don’t rise to unhelpful posts from disruptive folk, commonly known as trolls, and let the community help where it can
  4. Talk to the media – nothing is worse than radio silence to set off the blogosphere in a outburst of speculation and negativity
  5. Make sure channels internally and with your customers remain open – informing everyone what has happened, and why they should be cautious
  6. Provide additional guidance i.e. restating common sense password etiquette when it comes to the breach in a practical and in an un-patronising way
  7. Make sure that you keep everyone up to date.  Watch what questions they are asking, and create a crisis FAQ which responds to their actual questions. Not your perception of what they might be
  8. Perceptively being slightly hacked is like being slightly pregnant it’s pretty black and white. It happens, deal with it.
  9. If you are in management ultimately it’s your responsibility to make sure it gets fixed. I’m afraid you can’t blame Robot and Andrew for that.
  10. Keep calm and carry on (and fix the hole)

So was Evernote’s response common sense, or a stroke of genius?

How else could they have handled it?

How would your organisation have dealt with this?

Does this count as a win, or a fail?

If your answer to the question How much do you know about how digital can help your business? is Not enough, our workshops are for you. They provide business leaders, senior marketers and strategists with a jargon-free exploration of the impact that digital is having on both marketing and business, and tools and tricks to help you keep up. To find out more and book you place click here.

    • Tom
    • March 15th, 2013

    If you work for a large organization, I’d suggest making sure in advance that whoever responds to online complaints and questions has “clearance” to do so quickly – without having to get a lot of management approvals.

    • Absolutely (and you would know!). Twitter doesn’t wait for Monday morning staff meetings does it 😉

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: