Hackers are very motivated set of people. Whether they’re criminals or security researchers, they love nothing more than finding flaws in your online service and letting the world know about it, especially if you don’t respond in what they consider to be a timely fashion to any disclosure they make.
In a recent and well publicized breach of security, 4.6 million SnapChat user’s phone numbers and usernames were published on the web. SnapChat is a photo sharing service with a spin, allowing the shared images to viewed for a limited amount of time before they are deleted. SnapChat has seen astonishing growth over the last year, and the company’s confidence is high — they turned down a $3 billion purchase offer from Facebook a few weeks ago.
Unfortunately, they didn’t handle the security breach well from a public relations perspective. Firstly, they were warned in advance of the vulnerability in their API, and while they acknowledged the possibility of an exploit, they didn’t do much to fix it. When the vulnerability was duly exploited, they once again released a statement acknowledging it and attempted to reassure users that they were working on fixing the problem.
The problem is that to an ordinary user, the statement isn’t very reassuring at all, especially for non-technical users who have no clue what rate-limiting an API might mean for them.
From the perspective of the founders and their technical staff, the release probably seemed more than adequate. It contained enough information for a technically adept user to determine what happened and what the company was doing to mitigate the risk, but what it didn’t contain was an apology for losing the data in the first place. It also appeared to blame the leak on the research team that identified the issue and published details of the SnapChat API.
There are two major PR faux pas here. The first is the avoidance of an apology. Now, to the less touchy-feely and more technically inclined individual, an apology might seem superfluous once acknowledgment of the problem and a commitment to fix it has been made. But a different approach is required when dealing non-technical users. They expect a mea culpa and an apology.
The second mistake is to blame the hackers. Hackers are a fact of life. Blaming hackers is like blaming the sky for raining instead of acknowledging that you should have brought an umbrella.
A statement that is perfectly acceptable if you’re Linus Torvalds acknowledging a problem on the Linux mailing lists or if you’re a lawyer trying to limit liability isn’t going to get the job done when the aim is to reassure users. They don’t want to see a company offering detailed technical explanations, and they certainly don’t want to see them trying to pin the responsibility elsewhere. They entrusted their data to a service, and if that data leaks they hold the service responsible.
The tech media knows this, which is why there has been a long news cycle of articles commenting on the failure of SnapChat to apologize. If they had apologized, the story would be “Whoops, silly SnapChat screwed up, but they’re putting it right.” Without an apology, the media response is “Arrogant SnapChat screwed up, failed to accept responsibility, and didn’t say sorry.”
For anyone who runs a web service, the lesson here is that if you lose your user’s data, an apology will go a lot further towards reassuring them than a terse technical response.