Last week, on March 2nd 2013, popular cloud based filing cabinet service Evernote announced a system hack and required all of its users to reset their passwords. I’m an Evernote user and I’m happy with how Evernote dealt with their system being compromised. I want to highlight four non-techincal things that they did in response to this incident that should be kept in the back of your mind just in case you ever have to handle a response to a hack like Evernote did. In a nutshell, they:
- Error on the side of security
- Weren’t shy and announced the hack quickly
- Sent a brief and informative email that didn’t fall into SPAM like behavior
- Limited confusion buy placing a notice about the hack font and center on their website
That is it! I’m setting the bar low here, but most companies fail in their responses to hacks like this. They misinform, delay, and hide. I commend Evernote for doing better then the rest.
Error On The Side Of Security
The Evernote hack allowed attackers to get encrypted passwords, account names, email address, but not user data. So, even though the passwords were encrypted, Evernote required users to reset their passwords. This may have been annoying to Evernote users, but it rightfully errors on the side of security.
This was very inconvenient for me! I use Evernote with some of my other cloud services, on smart phones, tablets, and multiple computers. I have to fix the password in all of those locations to get the applications working again, but it is worth it to know that my data is secure. I would want them to do it again if they had too.
Their Quick Announcement
When they noticed that the system compromise they went into action, dealt with the issue, and made a public announcement quickly. This gives them credibility and give me confidence that they will let me know in the future if something were to happen again.
Informative But Not Spammy
I got 2 emails related to this event. One announcing the need to reset the password to my account and one letting me know that the password had been reset once I reset it.
The email announcing the need to reset my password is partially displayed in the image at the beginning of the article. You can see that they explain the situation clearly and avoid the tech speak as much as possible. They also don’t fall into the trap of “Click here to reset your password”. They knew that if they did that they would be training their users to trust emails that ask you to do that. Which, next time, may not be you but actually be spam. Can you get mad at your employees or clients if they click on the spam link? If you send messages out with “change password” links in them you are teaching them that it is okay to clickity, click-click-click…
The second email came after I reset my password. It announced the fact the the password had been changed and gave me an opportunity to un-change it if I wasn’t the one to change it in the first place. Just in case the hacker got their first. Again, this instills confidence in me when it comes to their brand and the safety of my data.
Limited Confusion By Putting Proof on Their Page
On top of the email notification to their users about their decision to do a password reset on all account Evernote also put the notice front and center on their main webpage. This is really part of not being ashamed and hiding. In the past, I’ve seen companies burry this information in a blog post, or real small under the login page. Here, Evernote shows they are more concerned about getting this right, securing your account, and informing you of the incident then they are about potentially scaring off new clients.
I know I come off all rosy toward Evernote in this article. My intent isn’t to bat my eyelashes at Evernote but rather to give them a pat on the back for the way they dealt with this crisis and to remind myself that I can learn from their behavior.
If you are ever in this unfortunate position do the right thing and don’t worry about PR. Keep your current clients safe and you will be better off long term. Security breaches happen, show people you can handle them without fear by quickly responding to the incident, announcing it clearly, eliminating confusion with a banner on your site and you will be rewarded for it.
What do you think? Did evernote do the right thing? Was their response measured correctly or did they overstep?