Communicating in a crisis: Lessons from the supermarket cyber attacks
In the last few months we’ve seen some of the biggest and most beloved British brands - including M&S, Harrods and Co-op - hitting headlines as they’ve fallen victim to cyber attacks: resulting in months of disruption, hundreds of millions of pounds of damage, and significant reputational consequences.
This is not uncommon. Data published by the UK government revealed that just under half (43%) of UK businesses experienced a cyber security attack or breach within the last year. So, it’s no surprise that there’s a growing fear among business leaders, with almost three quarters (73%) concerned that a cyber security incident may disrupt their business in the next 12 to 24 months.
These stories are dominating the media landscape. Just this week, the BBC released a Panorama programme focusing on Fighting Cyber Criminals and revealed that a weak password from an employee was all it took for ransomware hackers to gain access into transport company KNP’s computer systems, a move which ultimately destroyed the company.
What’s more, the CEO of the National Cyber Security Centre appeared on Radio 4’s Today Programme stressing the critical importance of organisations having a plan in place to deal with and recover from an attack. His message was clear: this needs to be a priority.
The reputational impact of these attacks cannot be overstated: breaches often expose millions of customers' personal data, which threatens hard-won trust. But it’s not just the incident itself that shapes public perception - it’s how a company handles it.
Here’s our lessons learnt from the recent hacking scandals:
Prepare, Prepare, Prepare
Don’t wait until a breach hits - by failing to prepare, you are preparing to fail. Don’t have a ‘it will never happen to me’ approach - organisation should have:
A crisis comms playbook, complete with escalation paths, response templates and ownership roles
A mapped list of stakeholders, spokespeople, channels, and holding lines
Regular simulation drills to rehearse the response process
Planning ahead saves vital time in the moment. It keeps calm heads and allows for faster responses, clearer messaging, and fewer mistakes when it matters most.
Communicate Strategically
M&S was widely praised for its handling of the incident: instead of waiting to respond to media or social media speculation, the company communicated directly and proactively with customers.
A statement from CEO Stuart Machlin was posted on social channels: publicly acknowledging the attack, issuing a personal apology, and committing to keeping customers updated.
Their swift, transparent approach set the tone for how to handle a cyber crisis with clarity and accountability. In fact, in M&S’ response actually helped position them as a leader in navigating cyber attacks with the chairman going on to publicly call for mandatory reporting of cyber attacks, citing the need for greater transparency and awareness in the face of escalating threats. Without a robust communications framework in place in advance businesses will enter this crisis space on the backfoot.
When the pressure is on, here’s what to keep in mind:
Respond quickly to acknowledge the incident and stay ahead of the narrative
Be conscious about oversharing too early - unnecessary exposure could lead to inaccuracies later down the line
Provide clear, concise updates as the facts emerge
Communicate across channels - social, email, website, even store signage – to reach different audiences
Crises can take months to resolve, so establishing a cadence of communications is key. Avoid the temptation to overcommunicate: regular, meaningful updates are more effective than frequent noise
GETTING THE TONE RIGHT
Cyber attacks are technical, complex and often scary: in times like these, what people need most is to hear from other people. A human voice builds connection and credibility when uncertainty is high.
Public trust demands honesty. If customer data has been compromised, say so clearly: and own the consequences. If mistakes were made acknowledge them, even if the forensics are ongoing.
Customers are looking for:
Clear, jargon-free explanations
Reassurance that someone is in control
Honesty about risks and what you’re doing to fix them
Concrete help: a helpline, FAQs, even compensation where appropriate
M&S got this right. Their communications led with empathy, focusing on customer impact and using plain language instead of corporate jargon, offering reassurance at critical times.
PAVING A WAY FORWARD
People want to know what you’re doing to prevent this from happening again. Rebuilding confidence means demonstrating you’ve learned and evolved.
On the same day that Co-op CEO Shirine Khourey-Haq was on the BBC breakfast sofa apologising for the leaking of 6.5 million customers' data, the company announced a partnership with The Hacking Games - a social impact business that tackles cybercrime by training up the next generation of ethical hackers.
Despite some viewers saying that the interview lacked sincerity and empathy, the partnership was widely praised in the media. The announcement of the partnership also helped to reframe the narrative by showing clear action and commitment to protecting customers moving forward.
M&S recently surprised customers and colleagues by offering a series of thank-you gestures, ranging from extra rewards for M&S Sparks members, to increasing staff discounts from 20% to 30%, and introducing a 10% discount to contractors over the weekend. This move, an acknowledgement of the loyalty and support, was yet another example of the British retailer living its values.
Lead with integrity
Handled well, a cyber incident can become a moment of leadership. Brands that act early and communicate clearly— with empathy, transparency, and people-first messaging—are far better positioned to weather reputational fallout and rebuild trust.