Should LinkedIn Have Emailed Members About Its Security Breach?

In case you missed the news last week, LinkedIn’s site was breached and more than six million of its customers’ passwords were stolen.

I read about the news first on Twitter, then confirmed it through a serious of articles and blog posts from reputable sites. There was even a healthy discussion about it on the Only Influencers email list including some suggestions from my online security friends about how to check and see if your password was compromised.

The first thing I did was to change my LinkedIn password. By the way, if you haven’t done that yet … now is a good time (Mashable explains how to here).

A few of the tweets I saw and email conversations I had pointed to the LinkedIn blog. Its first blog post acknowledging the possibility of a data breach was very well written (read it here). They told members they were looking into the possible breach and directed folks to follow the process by “following us on Twitter @LinkedIn and @LinkedInNews.” They also took the opportunity to remind members about online security and privacy:

…one of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites.

Later that day, LinkedIn confirmed that passwords were stolen. Again, I thought the blog post was well-written. It was direct, to the point, and apologetic. Sure, they could have used a better word then “inconvenience” (“We sincerely apologize for the inconvenience this has caused our members.”), but still pretty good.

Then, I read this Mack Collier blog post, Why Isn’t LinkedIn Proactively Alerting Members to its Security Breach?

I’d encourage you to take a few minutes to read the post. Mack makes some excellent points about how LinkedIn communicated the breach as well as suggestions for how they could have done it better. As an email marketing guy, this statement from Mack jumped out at me:

But if LinkedIn can address the situation on its blog, why can’t it email its members to let them know what’s happening? … Because if you don’t, you are sending a very bad message to your members. You are telling us that you only send us emails when it’s important, like when you want us to upgrade to a premium account, or update our profile, or connect our email address book to our account.  But when it comes to our security, well that’s not important enough to warrant a ‘personal’ email.

Spot on.

As it turns out, LinkedIn did email its members: however, only those who were impacted by the data breach. Check out the email below (thanks to Peter Ghali for forwarding me a copy).

What a great email! It explained the situation and clearly outlined the necessary steps to reset the password. Yet again, this was only sent to those members who were affected by the data breach.

Why didn’t LinkedIn send an email to all members alerting them of the data breach? Here is what one commenter (and good friend), Tom Martin, had to say:

For once I have to disagree with you. When LinkedIn published the fact they had emailed effected users, they DID communicate with you by not sending you an email.

As soon as I saw that story and realized I hadn’t received an email — I relaxed and felt good knowing that my password had not been hacked.

Only something like 4% of LI’s base was effected so I can see where they’d not want to make a mountain out of a molehill by shining a big light on a subject that you as a user may or may not have been aware of in the first place.

We digitally connected folks often forget that just because we’re aware, that doesn’t mean the average user is aware — unless the story was in their local paper or on their local news, they very well could have missed it.

Had they blamed a glitch or some other such silly nonsense then I’d agree they might have a problem… but I think if we could jump forward in time about 90 days you’d find that precious few folks will even remember much less care (outside of the echo chamber).

While I agree with Tom that sending an email to the entire LinkedIn membership when only a small fraction where impacted by the security breach would have been making “a mountain out of a molehill,” I still think they could have communicated to all members.

In the email marketing world, this is a topic we discuss often. In many ways it’s similar to how marketers handle and email “oopsie” – one that does not impact all email subscribers. Is it worth sending an apology email to your entire database or only those impacted? The answer is not that black and white. My general stance is why alert/worry everyone if only a handful are impacted by the error (and yes, I realize that this data breach was more egregious then an “oopsie” or error).

However, in this case, the news of LinkedIn’s password hack made mainstream news. Many people were wondering if their account had been compromised. If I were LinkedIn, I would have sent an email to all member, but segmented it as follows:

Those who were impacted (Segment A): Send them a “here’s what happened & here’s what you need to do email” – very similar to what they did. See example above.

Those who were NOT impacted (Segment B). Send them an email saying that “You may have heard the news … we are in the process of looking into it … read more on our blog (link) … in the meantime, to be on the safe side, we recommend changing your password … here is how.” In fact, I would have pretty much copy/pasted this LinkedIn blog post, Updating Your Password on LinkedIn and Other Account Security Best Practices, into the email.

My question is this: Did LinkedIn choose to intentionally NOT send an email to those members who were not impacted by the data breach? When the news broke, did its marketing team discuss the options of how best to communicate it? My bet is that yes, they did have a conversation. I also believe they talked about how to leverage the email list to communicate.

If this were you … if this data breach happened at your company and impacted your membership, how would you have communicated the news? Would you have gone the route of LinkedIn and only emailed those members who were affected or would you have taken a similar approach to the one I suggested and segment your list and communicate to all members?

Do you have a “Crisis 101″ email marketing plan in place?

I’d love to hear your thoughts in the comments below.

Cheers.
DJ Waldow

——

Did you know? Jason Falls and I just wrote a new book about breaking the rules of email marketing! In the book, we talk about ways to grow your email list AND break some rules along the way. We also dedicate a section to “the power of pairs” – using email marketing and social media together. In The Rebel’s Guide to Email Marketing: Grow Your List, Break the Rules, and Win, we share with you all sorts of email marketing “best practices” individuals and companies are breaking each and every day … and still finding success.

PRE-ORDER YOUR COPY NOW!

12 comments
martinlieberman
martinlieberman

I agree that you never want to make a mountain out of a molehill, especially when customer data is concerned. But given how widespread this news was reported, I think an email would have helped the situation, even if was just to assure people that their info was not affected -- but that it would be a good idea to change their password anyway. 

 

The news cycle moved quickly, as it always does, and sure, the people who didn't know about the breach may not care about their presence on LinkedIn anyway, but back to Mack's point in his email and his comment below ... It speaks more to the LinkedIn brand and what it values. I'd like to know that LinkedIn has my back when it comes to my data -- and my career prospects. That shouldn't be too much to ask.

 

Basically, what it comes down to is that I agree with you here, DJ.

djwaldow
djwaldow moderator

 @martinlieberman Thanks for the comment. FWIW, I agree with you. Then again, since you agree with me, my agreeing with you is pretty much pointless and redundant.

djwaldow
djwaldow

@martinlieberman @LinkedIn I think so too. Curious why you do. Comment?

TomMartin
TomMartin like.author.displayName 1 Like

DJ

 

First -- agree, everyone should read the @mackcollier post, which is great and the comments (some of which you've brought over here) just make it even better. As I noted in my follow up comment over there -- you and Mack both have a great point re: emailing the membership. I guess my comment was more to the devil's advocate position and to remind folks in the echo chamber that just because you "can" doesn't mean you "should" do anything.

 

Far too often I think you see knee jerk reactions to these types of incidents... but the truth is that as a publicly traded company LI has to think through the REAL situation, not just the one the blogs present. To see what I mean, go to Google and search "+linkedin hacked" and limit your search to news in the last 24 hours. You won't find much. The news cycle is closed, so the non-connected consumer (the vast majority) have probably already forgotten about the story (if they ever knew in the first place). So if I was counseling LinkedIn I could very easily make an argument for AND against sending non-effected members emails about the situation.It's also important to note that when you log in to LI -- effected or not -- you get a message about the situation and a link to change your password. So even for those of us that didn't get an email, LI is communicating to us... just in a more passive (if that's the right word) manner.

 

As you note - I'm sure those conversations took place and there were very good reasons for the response LI deployed.

  @TomMartin

AdamBritten
AdamBritten

 @TomMartin  @mackcollier  Agreed - when you logged-in, you were communicated to. And if you didn't log in, that means you probably didn't hear about the story, so you probably didn't need to be messaged to. I personally think they did enough, especially because even if they sent an email, most people wouldn't have read it anyway.

djwaldow
djwaldow moderator

 @AdamBritten  @TomMartin  @mackcollier Yeah. I didn't realize they had that messaging when a member logged in. Still, I think it was a great opportunity to send an email to all members, if only to remind them about security / password stuff.

 

Why do you say " even if they sent an email, most people wouldn't have read it anyway." ???

djwaldow
djwaldow moderator

 @AdamBritten  @TomMartin  @mackcollier Got it. A few questions: If you delete all email from LinkedIn, why don't you just unsubscribe? Also, we don't really know what LinkedIn's typical open rates are. We'd both really just be speculating. Right? 

 

Bottom line - to me - is that it's *usually* better to over-communicate (to cover all bases) then to under-communicate. What if you didn't read the blog post, see the tweet, watch the news? Sure, I get that they put a notice once you logged into LI, but what if you didn't login for a week or so? 

AdamBritten
AdamBritten

 @djwaldow  @TomMartin  @mackcollier I know plenty of people who ignore emails unless they are from work or a close friend (and even then still ignore them.) I can't even say for sure that I would have opened an email from LinkedIn myself, since I usually delete any coming from them. Just saying they would have had a low open rate, and then people would still be asking "did they do enough."

djwaldow
djwaldow moderator

"the truth is that as a publicly traded company LI has to think through the REAL situation, not just the one the blogs present." <--- Excellent point, @TomMartin . Also, good point about what happens when you login to your LinkedIn account. I was not aware that messaging was there.

 

I would have loved to be in the room when the discussion about WHO to email came up...

 

Thanks, as always, for your comments!

MackCollier
MackCollier

 @TomMartin  And now I'll play devil's advocate to your devil's advocate ;)  If people do move on quickly to the next hot story, would that have meant that people would have moved on even IF a lot more LinkedIn users (especially those not directly affected) were suddenly made aware of this situation?

 

I look at this as a benefit/risk comparison.  Is the risk of making this story bigger worth the benefit that LI's users would appreciate knowing about the situation?  Or to ask it another way, how did LI's users feel about the service BEFORE this episode?  I have heard many friends tell me something along the lines of 'I think LinkedIn has potential value, but I can't seem to find time to spend there'.  

 

I just wonder if an episode like this is handled incorrectly, does a user that was already on the fence about using the site to begin with, does this push them off the fence about being there at all?

 

I do know this, I feel less confident today that LinkedIn takes the security of my account seriously, than I did a week ago.  

djwaldow
djwaldow moderator

 @MackCollier  Interesting. To me, this line of thinking is analogous to a company proactively contacting a client who is not really using its service, asking them how they can help. The client, in turn, may all of a sudden realize they are paying for something they are not using.  This can either lead them to cancel (oops) or re-engage them.

 

Tough call!

 

Thanks again for your original blog post. I love when one blog post inspires another!