I was on Twitter earlier and saw a few tweets from CK, asking some very common sense questions. Basically, she wanted to know why LinkedIn wasn’t making its users more aware of what happened with the recent security breach that resulted in millions of passwords from LinkedIn members being stolen, and also what LinkedIn was doing to correct the problem.
She’s exactly right. This morning, LinkedIn finally verified the security breach via a post on its blog. But if you go to LinkedIn’s site, there’s no mention of the issue (that I can see). So far there’s been no communication from LinkedIn to its members (LinkedIn has said it’s emailed the affected users to let them know to change their passwords).
But if LinkedIn can address the situation on its blog, why can’t it email its members to let them know what’s happening? This is Crisis Management 101: When there’s an issue like this, you communicate as soon as possible to those affected (hint: It’s ALL your members, not those with stolen passwords only), and let them know what has happened, and what steps are being taken to address and correct the situation.
Because if you don’t, you are sending a very bad message to your members. You are telling us that you only send us emails when it’s important, like when you want us to upgrade to a premium account, or update our profile, or connect our email address book to our account. But when it comes to our security, well that’s not important enough to warrant a ‘personal’ email. As a result, we are finding out about this mess via the press, instead of via LinkedIn. See? In a crisis situation, we WILL find out the rest of the story, you can either tell us yourself in a proactive manner, or we’ll find out from other sources.
Trust is very hard to win, and incredibly easy to lose. Because of how LinkedIn has handled this situation, they are communicating to me that the site places its own self-interests above mine (all companies do, but don’t make it so obvious!). And to be fair, I totally get needing to do an internal investigation and understand exactly what the situation is before you comment publicly. My point is LinkedIn has ALREADY commented, on its blog. Guess what…not all of its members read its blog. If the company can email us with self-promotions, why can’t it email us to alert us to a situation that could affect our membership, and our online security.
There’s no reason why they can’t. And the fact that they are not speaks volumes.
Mack –
I saw CK’s tweets as well – you were thoughtful enough about it to blog! I’m curious, did you tweet a link to this to LinkedIn or contact them at all? Have they responded? As a platform and service that’s trying to grow and become an indispensable social media tool, they need to take better care of all their members – it takes such little time to craft an email, and so much more to rebuild reputation.
Gigi
Gigi I didn’t contact @LinkedIn or tweet them about this. But they’ll see it, assuming they have someone monitoring for brand mentions 😉 It’s tough because I am constantly hearing from friends and peers that they can see value in LinkedIn, and are looking for ways to spend more time there. Episodes like this won’t help sell fence-sitters on the quality of the service.
Great post–thanks so much. I’m just baffled that I get weekly updates from LinkedIn (that I opt into) and emails on their new services/upgrades/apps.
But when my security is potentially breached?
I have to read about it in the NYTimes… not get comms from the company itself. It’s not enough to blog or tweet with a crisis, that’s not fair to valued members–you need to email them, tweet, blog, FB, YT and, yes, place a big URGENT MESSAGE with “read here” on the front page of your site letting users know (1) the situation, (2) what steps users need to take to protect their info, (3) what you’re doing to solve the issue and (4) where to go to get status updates. I swear this isn’t rocket science, it’s just good communications to valued members.
Thanks again for the good post 🙂
It’s a disconnect, isn’t it? And honestly, I don’t think LinkedIn realizes the message they are sending, but I think you were right, being proactive about alerting members about the breach also communicates that you care about them. Oh well, a chance to learn and improve for next time!
Your statement, “If the company can email us with self-promotions, why can’t it email us to alert us to a situation that could affect our membership, and our online security.” is the pivotal one.
LinkedIn has sadly committed the very error we all teach our social media clients NOT to make – namely, don’t just post to sell, build a relationship.
Knowing that LI can generate notices to everyone soliciting upgrades, as you said, but not something as grievous as security breaches, is disheartening to say the least.
Thank you for bringing this issue front and center, where it belongs!
Mack I agree it is not a good message, how is this different than all the hacking that happens via facebook?
Michelle do you mean like the apps that spam our timelines, etc? I agree, Facebook should more proactive in alerting us to how to block such apps, because we all pass around that information once we find it anyway.
But then again, they make money off those apps, don’t they? Again, is it better to put the users interests above or below that of the company?
SO again the people have the power but are afraid to weld it and LEAVE 😉
Ironically, CK left Facebook about 5 years ago because of how they were using advertising even back then. The rest of us just talk a good game 😉
Mack, thanks for a great post.
Sadly, many of the communications issues you pick up on are lessons that haven’t been learned from last year’s breaches (Sony, McKinsey, play.com) and I wrote about these back then (see http://steverevill.net/category/data-security/).
You’re spot on that Trust is so easy to lose. Like CK, I love LinkedIn but any business that fails to communicate clearly, promptly and comprehensively when something as sensitive as this arises shouldn’t be surprised when that trust begins to evaporate.
Thanks again for sharing!
I agree Mack…. yesterday when I saw the news break on Twitter, I logged in to LinkedIn and changed my password. Of course, I am online far more than many of the folks who use LinkedIn so for two days now I’ve been receiving connection requests and thinking it’s likely some scummy hacker instead of people who I respect from a business standpoint. That bad taste has been in my mouth two full days and several times over as every time I saw something with LI, I have got to question it. It would be better to act sooner than later…. seems to me LI and all the others should have crisis plans on dealing with personal data being compromised and getting out quickly to say “the problem has been identified and we will be contacting those affected directly as soon as possible, with a message coming back to all the members once we have fully contained the situation” would be smart.
Couldn’t agree more Mack – LinkedIn are more than happy to send us spammy emails the rest of the time (or even allow others to pay for the privilege) so there’s no excuse for not emailing about the security breach. I’ve spoken to a number of clients about it and not one of them were aware that they needed to change their password.
That said, as of this morning I am seeing an alert notice which comes up when you log in to LI, and sits near the top of the screen otherwise, which has a link to their blog with the info. So I guess they got there, but slowly – and that still doesn’t address the issue of infrequent users whose accounts have been compromised, as they won’t see the alert.
Kate you’re right, I see as well now on the site. Popped up the last time I logged in.
Email marketing is not dead! Great observation here Mack. I’m going to use this as an example in an upcoming presentation! Will give you full credit, of course.
One more thing … any chance you have a copy of the email LI sent to those members who were impacted by hack?
I do not, DJ. Thanks for the mention, good example of how email and social media can work together. Say, someone should write a book about that 😉
Ha. Too bad the manuscript is done or else I would have added it!
Mack,
For once I have to disagree with you. When LinkedIn published the fact they had emailed effected users, they DID communicate with you by not sending you an email.
As soon as I saw that story and realized I hadn’t received an email — I relaxed and felt good knowing that my password had not been hacked.
Only something like 4% of LI’s base was effected so I can see where they’d not want to make a mountain out of a molehill by shining a big light on a subject that you as a user may or may not have been aware of in the first place.
We digitally connected folks often forget that just because we’re aware, that doesn’t mean the average user is aware — unless the story was in their local paper or on their local news, they very well could have missed it.
Had they blamed a glitch or some other such silly nonsense then I’d agree they might have a problem… but I think if we could jump forward in time about 90 days you’d find that precious few folks will even remember much less care (outside of the echo chamber).
@TomMartin
Interesting point, Tom. This is one that’s talked about a ton within the email marketing industry, as it relates to “oopsie” emails.
In general, I agree with you. Why alert/worry EVERYONE if only a handful were impacted.
However, in this case, the news of LinkedIn’s password hack made mainstream news. Many people were wondering if their account had been compromised. If I were LinkedIn, I may have segmented the list:
A: Those who were impacted. Send them a ‘here’s what happened & here’s what you need to do email’ … as it sounds like they did.
B: Those who were NOT impacted. Send them an email saying that “You may have heard the news … we are in the process of looking into it … read more on our blog (link) … in the meantime, to be on the safe side, we recommend changing your password … here is how.
My 4 pennies.
Tom I agree with you, this likely won’t be much of an issue for anyone other than the few power LI users. My point was that they could have leveraged this as a way to communicate to ALL their users about how to make their LinkedIn account more secure, plus educate us ALL on online safety.
They could have sent the affected users an email saying something like: “As you might be aware, a small percentage of LinkedIn’s user accounts were recently compromised due to attacks from hackers (word this part differently if necessary). Thankfully, your account is in the vast majority of LinkedIn accounts that’s unaffected. Still, since the safety of your LinkedIn account is of upmost importance to us, we thought this would be a great time to review the things that you can do to make your LinkedIn account more secure, as well as all your online accounts!’
Something like that let’s us know what’s happening, puts our mind at ease, and then also creates value for us by teaching us how to be more secure online. Let’s be honest, no matter HOW big this story got, most of us would have all moved on in a few days. Even if every LinkedIn user’s password had been stolen, we’d probably be ready to move on after a few days.
I think when there’s a crisis situation and those affected (or potentially affected) are getting their information from everyone other than the company or organization at the center, then that’s bad. Why let everyone else tell your story for you, especially in a crisis situation?
Ha. I think you and I were typing our replies at the same time, Mack. Similar answers!
Take THAT Tom. Just kidding. You really do bring up a great point.
I got lucky, I’m just glad our comments were only a minute away so it doesn’t look like a copied you 😉
DJ and Mack,
A great point that you both make — segmented emails to entire base with proper instructions certainly could have positive short and long-term marketing implications. For the non-effected user, could be a good place to ensure the RIGHT info made it’s way to them vs allowing the media, bloggers, etc to carry that message — which allows for distortion.
Guess the bigger question is how many of non-heavy LI users actually saw those news stories. After all — just because a paper or TV show reports something, doesn’t actually mean the readers/viewers see it.
Something to ponder over coffee this am.
Tom
As it turns out, not only am I pondering this over coffee right now … as I type this … I’m actually blogging about it. Will let you guys know when she’s live. Great conversation.
Ok I have a question: Would our opinions toward LinkedIn in this situation change if they had several members of their social media team constantly connecting with customers, say like Dell does? IOW, if LinkedIn had been more progressive in the past in using social media to reach to its users, would we have given them a pass?
I ask because I caught myself a few times commenting on this issue and adding ‘but I still think Mario Sundar is awesome!’ If we had all personally connected on a regular basis with say 4 other members of LinkedIn’s social media team besides Mario, would we be more willing to give LinkedIn a bit of a pass on episodes like this?
Devil’s advocate, but I think we would, even if we didn’t realize it. What do you think?
Short answer: No. Remember how many people actually spend time on Twitter and Facebook (especially with brands). The numbers PALE in comparison to email. The chances are MUCH higher that the “average” LinkedIn member is going to see an email vs. a FB post or tweet.
As promised …
http://waldowsocial.com/linkedin-emailed-members-security-breach/
Thanks for inspiring this post, Mack and Tom.
I also found it strange that they didn’t send out an email to members notifying us of the security breach and how to make our accounts more secure. I mean, most of it is common sense to a lot of readers here, but even if you weren’t directly affected in terms of your account being compromised, I think LI owes it to us to inform us of the situation. I read about it online somewhere and then saw a news story about it on the nightly news. Definitely when it goes on television do I expect LI to issue some sort of statement (and not just on their blog). Anyways, just my opinion. Plus the fact that they sent me an email giving a free month of Linkedin premium (but no alert to the hacked passwords).