How did Evernote handle its hacking crisis?

By Jon Bains

March 8, 2013 | 7 min read

Leadership in this digital age comes with plenty of new challenges. Business decisions that in the past would have been easy to predict and manage have become a lot more complex in the ‘always on’ world we now live in.

Hacking victim: Evernote

‘We won't make a drama out of a crisis.’ Well you might not, but consumers can and will given half a chance. Social media makes it not only easy for us to engage our customers, but it’s also made it easy for them to tell you, and everyone else, what they think. Especially when things go wrong.

Over the coming weeks we will try to reverse engineer the reasoning behind of some of these crisis management decisions, and with your help look at whether the approach stands up to scrutiny, and what can learn from it.

So You’ve Been Hacked

What's the story?

Hacking is one of the most misused and ubiquitous terms on the net. There are plenty of reasons why people do it, and not all of them are malicious. However, last weekend one of the more respected online services, Evernote, was 'properly' hacked, and hence is as good a place to start as any. Nobody, barring the hackers, themselves knows exactly the scope of the damage, but from reading the company’s response it sounds like significant amounts of data was acquired, especially since we (as a whole) still tend to use the same passwords for multiple online services.

Before going public, management were faced with some difficult decisions to make. How do we?

• Be open, but prevent panic

• Lose as few customers as possible

• Prevent long-term damage to brand

What went well?

On March 2 at 6am, Evernote tweeted and provided a link which explained clearly and concisely that they had been hacked, why they were taking precautions, and threw in a bit about best-practice when it comes to creating passwords. Within 24 hours they had updated (at least their Apple iOS app) to focus everyone on resetting their password. And they have for the most part been open, upfront and conciliatory.

As you can imagine there were a fair number of irate folk on their site. A nice chap called Andrew from Evernote carefully explained what was happening and was attentive when responding to users. Meanwhile co-worker Stefanie, who would probably have failed the Turing test, simply repeating the same statement ad nauseam.

About 10 per cent of the posts on the blog were 'stop whining they are doing their best'.

About 30 per cent complained they didn't get the notification email because they no longer had access to the email account they use to sign-up with service! While some folk might have been less diplomatic (including me), many of Evernote’s supporters redirected the hard of thinking to the company’s support page.

The rest were split between helpful suggestions and 'I'll never use you again'.

What could have been handled better?

There was no communication on the Evernote homepage itself (and if they did the users certainly didn't find it). That's a no brainer – it costs nothing to do and saves a lot of aggravation from those whose sole purpose in life is to complain. There is currently a reference to the original email - but it talks about ‘resetting your password’ as opposed to ‘we’ve been breached, find out more’.

Initially many users asked about implementing two-factor authorisation, which Google uses to provide extra security for its users, although precious few people seem to use it apparently. There was no immediate response on the blog. It's a fair question that a simple 'we're looking into it - thanks for the great suggestion!' would have gone a long way to help. By the end of the first week they had come out in public saying that this was now a top priority.

As of Friday 7 March there has been no blog update or any further emails about the 'event'. I appreciate they are no doubt busy trying to understand what happened. But it would make sense to create a new post to explain what they have subsequently done to improve security, answer some FAQ questions, and actually diffuse any on-going comments. Having said that, the majority of comments and complaints dried up after two days, which is pretty good going frankly.

Reverse engineered strategy

Be honest, transparent, and really, really fast.


Empower your staff to:

1) Establish and communicate the severity as best you know it – immediately (ideally via Twitter)

2) Reiterate and reassure using language that is as human and as easy to understand as possible

3) Allow people to comment where possible and have somebody standing by to answer questions. Don't rise to unhelpful posts from disruptive folk, commonly known as trolls, and let the community help where it can

4) Talk to the media - nothing is worse than radio silence to set off the blogosphere in an outburst of speculation and negativity

5) Make sure channels internally and with your customers remain open - informing everyone what has happened, and why they should be cautious

6) Provide additional guidance i.e. restating common sense password etiquette when it comes to the breach in a practical and unpatronising way

7) Make sure that you keep everyone up to date. Watch what questions they are asking, and create a crisis FAQ which responds to their actual questions. Not your perception of what they might be

8) Being slightly hacked is like being slightly pregnant: it’s pretty black and white. It happens, deal with it.

9) If you are in management ultimately it's your responsibility to make sure it gets fixed. I’m afraid you can’t blame Robot and Andrew for that.

10) Keep calm and carry on (and fix the hole)

So was Evernote’s response common sense, or a stroke of genius?

How else could they have handled it?

How would your organisation have dealt with this?

Does this count as a win, or a fail?

If your answer to the question ‘How much do you know about how digital can help your business?’ is “Not enough”, our workshops are for you. They provide business leaders, senior marketers and strategists with a jargon-free exploration of the impact that digital is having on both marketing and business, and tools and tricks to help you keep up. To find out more and book you place click here.


Industry insights

View all
Add your own content +