In case you missed the news last week, LinkedIn’s site was breached and more than six million of its customers’ passwords were stolen.
I read about the news first on Twitter, then confirmed it through a serious of articles and blog posts from reputable sites. There was even a healthy discussion about it on the Only Influencers email list including some suggestions from my online security friends about how to check and see if your password was compromised.
The first thing I did was to change my LinkedIn password. By the way, if you haven’t done that yet … now is a good time (Mashable explains how to here).
A few of the tweets I saw and email conversations I had pointed to the LinkedIn blog. Its first blog post acknowledging the possibility of a data breach was very well written (read it here). They told members they were looking into the possible breach and directed folks to follow the process by “following us on Twitter @LinkedIn and @LinkedInNews.” They also took the opportunity to remind members about online security and privacy:
…one of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites.
Later that day, LinkedIn confirmed that passwords were stolen. Again, I thought the blog post was well-written. It was direct, to the point, and apologetic. Sure, they could have used a better word then “inconvenience” (“We sincerely apologize for the inconvenience this has caused our members.”), but still pretty good.
Then, I read this Mack Collier blog post, Why Isn’t LinkedIn Proactively Alerting Members to its Security Breach?
I’d encourage you to take a few minutes to read the post. Mack makes some excellent points about how LinkedIn communicated the breach as well as suggestions for how they could have done it better. As an email marketing guy, this statement from Mack jumped out at me:
But if LinkedIn can address the situation on its blog, why can’t it email its members to let them know what’s happening? … Because if you don’t, you are sending a very bad message to your members. You are telling us that you only send us emails when it’s important, like when you want us to upgrade to a premium account, or update our profile, or connect our email address book to our account. But when it comes to our security, well that’s not important enough to warrant a ‘personal’ email.
As it turns out, LinkedIn did email its members: however, only those who were impacted by the data breach. Check out the email below (thanks to Peter Ghali for forwarding me a copy).
What a great email! It explained the situation and clearly outlined the necessary steps to reset the password. Yet again, this was only sent to those members who were affected by the data breach.
Why didn’t LinkedIn send an email to all members alerting them of the data breach? Here is what one commenter (and good friend), Tom Martin, had to say:
For once I have to disagree with you. When LinkedIn published the fact they had emailed effected users, they DID communicate with you by not sending you an email.
As soon as I saw that story and realized I hadn’t received an email — I relaxed and felt good knowing that my password had not been hacked.
Only something like 4% of LI’s base was effected so I can see where they’d not want to make a mountain out of a molehill by shining a big light on a subject that you as a user may or may not have been aware of in the first place.
We digitally connected folks often forget that just because we’re aware, that doesn’t mean the average user is aware — unless the story was in their local paper or on their local news, they very well could have missed it.
Had they blamed a glitch or some other such silly nonsense then I’d agree they might have a problem… but I think if we could jump forward in time about 90 days you’d find that precious few folks will even remember much less care (outside of the echo chamber).
While I agree with Tom that sending an email to the entire LinkedIn membership when only a small fraction where impacted by the security breach would have been making “a mountain out of a molehill,” I still think they could have communicated to all members.
In the email marketing world, this is a topic we discuss often. In many ways it’s similar to how marketers handle and email “oopsie” – one that does not impact all email subscribers. Is it worth sending an apology email to your entire database or only those impacted? The answer is not that black and white. My general stance is why alert/worry everyone if only a handful are impacted by the error (and yes, I realize that this data breach was more egregious then an “oopsie” or error).
However, in this case, the news of LinkedIn’s password hack made mainstream news. Many people were wondering if their account had been compromised. If I were LinkedIn, I would have sent an email to all member, but segmented it as follows:
Those who were impacted (Segment A): Send them a “here’s what happened & here’s what you need to do email” – very similar to what they did. See example above.
Those who were NOT impacted (Segment B). Send them an email saying that “You may have heard the news … we are in the process of looking into it … read more on our blog (link) … in the meantime, to be on the safe side, we recommend changing your password … here is how.” In fact, I would have pretty much copy/pasted this LinkedIn blog post, Updating Your Password on LinkedIn and Other Account Security Best Practices, into the email.
My question is this: Did LinkedIn choose to intentionally NOT send an email to those members who were not impacted by the data breach? When the news broke, did its marketing team discuss the options of how best to communicate it? My bet is that yes, they did have a conversation. I also believe they talked about how to leverage the email list to communicate.
If this were you … if this data breach happened at your company and impacted your membership, how would you have communicated the news? Would you have gone the route of LinkedIn and only emailed those members who were affected or would you have taken a similar approach to the one I suggested and segment your list and communicate to all members?
Do you have a “Crisis 101″ email marketing plan in place?
I’d love to hear your thoughts in the comments below.
Did you know? Jason Falls and I just wrote a new book about breaking the rules of email marketing! In the book, we talk about ways to grow your email list AND break some rules along the way. We also dedicate a section to “the power of pairs” – using email marketing and social media together. In The Rebel’s Guide to Email Marketing: Grow Your List, Break the Rules, and Win, we share with you all sorts of email marketing “best practices” individuals and companies are breaking each and every day … and still finding success.