This is not just any cyber incident

Customers unable to use contactless payments to buy goods or collect items bought with and click and collect services.

This is not just any cyber crisis, it is an M&S Easter cyber crisis.

The leading high street retailer has spent the Bank Holiday managing a “cyber incident”.

While the company has kept stores open and its website and mobile app have worked normally, customers have endured a frustrating time over one of the busiest shopping periods of the year.

The FTSE 100 giant has not disclosed the nature of the incident but says it was “necessary to temporarily make some small changes” to store operations to “protect” customers.

As you would expect for an incident involving such a well-known brand, the crisis has generated plenty of media coverage.

So, how has M&S responded to the crisis media management incident?

There have been two main parts.

An email sent to customers that has also been shared on some social media channels, and a notice to investors

The email sent from CEO Stuart Machin.

What do you think?

I like this approach to crisis comms with the message coming from the boss.

As we stress during our crisis communication training, it helps to show visible leadership.

And it creates the impression the incident is being taken seriously.

I also like the simplicity of the “We have been working with the best experts to manage this” and “there is no need for you to take any action at this time” lines.

It is worth noting that in the notice to investors, the ‘experts’ part is worded more formally. It said: “The Company has engaged external cyber security experts to assist with investigating and managing the incident.”

Most customers don’t need lots of technical information or formal language. They want to know the company is doing everything possible to quickly get things back to normal. And they want to feel reassured their information is safe.

So, some strong parts to the response. But there is also room for improvement.

The “sorry if you experienced any inconvenience” grates.

It seems clear customers have been inconvenienced by this incident – there are many posts on social media highlighting the problems it has caused. So, apologise.

An apology must reflect sincerity, honesty and empathy if it is going to resonate. Words like ‘if’ and ‘any’ remove those sentiments and can make apologies feel forced.

During our crisis communication training, we recommend that ‘sorry’ is the first word used in responses where an apology is needed.

To see what that looks like in action, M&S needs to look no further than one of its rivals.

When an ‘overnight software update’ caused contactless payments issues at Sainsbury’s last year, an email from CEO Simon Roberts began with an apology.

He said: “I want to apologise to you and every customer that has been affected by the issue and to thank you for your patience and for bearing with us.

“I really understand how important it is for everyone to be able to shop with us conveniently and easily, whenever and however you want to, and I am sorry if you have not received your usual service from Sainsbury’s this weekend.”

There are also questions about whether M&S should have responded more quickly and widely.

The email to customers was sent on Tuesday.

But social media suggests shoppers experienced problems throughout the weekend.

People have posted about being unable to make contactless payments, abandoning shopping at the tills and making trips to get parcels they could not retrieve.

Those posts have been responded to by the store’s hard-working social media team.

But other than those replies, there appears to have been little public acknowledgement of the issue until the end of the Easter bank holiday.

In some posts, the store said staff were advising customers about issues at shop entrances. But that feels too late. Why not post on social media and try to prevent people from making wasted journeys?

The incident is yet another reminder of the growing threat cyber-attacks and IT outages pose to organisations.

Insurer Howden says cyber attack incidents have cost UK businesses £44bn in the last five years.

Barclays has said it will pay up to up to £7.5 million in compensation to customers after a three-day IT outage earlier this year meant more than half of its payments failed.

The Lloyds Bank and Halifax apps went down at the end of February, impacting payday payments.

And supermarket Morrisons apologised after IT issues impacted online orders and discounts just days before Christmas,

As well as the financial costs, the fragility of IT systems poses massive reputational risks with the potential for widespread headlines and critical social media posts.

So, how would you respond if your IT systems went down? Would you be able to communicate quickly and inform and reassure your customers?

Are cyber attacks and IT failures in your crisis plan? Are you confident the plan works?

And would it work over a bank holiday weekend?

If we have learnt one thing from the M&S Easter incident, it is that cyber criminals don’t take time off.

Media First are media and communications training specialists with nearly 40 years of experience.

We have a team of trainers, each with decades of experience working as journalists, presenters, communications coaches and media trainers.

Click here to find out more about our crisis communication training courses and crisis management testing.