When hackers strike – and they will – PR is just as important as IT

Switch on the local news any evening of the week and you could be excused for thinking that we live in an increasingly lawless country.  

 

According to the Office of National Statistics, shoplifting on UK high streets has hit an all-time high. The ONS reports that in 2024 there was a 20% increase in the number of shoplifting incidents reported in 2023, reaching a figure that was double the reported number for 2021. 

 

The number of crimes against retailers last year was logged at 516,971 for England and Wales. 

 

For the travel industry, this may not seem of particular concern. It’s a bit like a war in a far-off land: not comfortable to see, but it doesn’t really affect us. What we sell is not what attracts the average shoplifter. 

 

But the shoplifting epidemic is just the tip of the criminal iceberg. And like all icebergs, the real danger to us and our business lies beneath the water, largely out of sight.  

 

I was recently in the company of several cybercrime specialists as part of a national thinktank on cyberattacks and their impacts on business. As one expert said: “Cybersecurity is much more than a matter of IT.” 

 

Cyberattacks on brands and businesses of all sizes are increasing at an alarming rate. Just recently, we have seen M&S, the Co-op and Harrods fall foul. 

Reputational damage

Each of those businesses saw wide-ranging damage to their operations and even their reputation among customers. M&S, it is estimated by experts, experienced significant operational disruption that contributed to its shares dropping by about £675 million at one point.  

 

Even our own sector has been shown to be vulnerable. British Airways suffered one of the largest data breaches in 2018, which impacted some 400,000 customers. Hackers gained unauthorised access to personal and payment card information, including login, payment card and travel booking details, as well as names and addresses, for a large number of customers. 

 

BA received a fine of £20 million from the UK’s Information Commissioner’s Office – something of a lucky break given that initially it was being prosecuted for £183.9 million.

 

But these attacks are more than just about IT systems and procedures in your company. How your brand responds to a cyberattack or a data leak matters at every level of your business. And with customers feeling vulnerable to the perceived increase in crime in all aspects of their lives, that means your frontline staff and marketing messages become vital in the reassurance operation required after such an incident.
 

Communication lesson

How M&S dealt with their recent cyberattack shows how things should be done, and every travel company and brand, big or small, should take heed.  

 

On a PR and customer communication front, M&S were prepared. They knew, as every brand should, that it was a question of time before they came under attack. They had therefore built a strong relationship with key stakeholders in advance of this sort of situation, building trust in their board, personnel and procedures to deal with such an event. 

 

The tone of voice in their communications was considered and led from the top of the company. They moved at speed and coordinated their messages to reassure employees, customers and investors that they were taking action and had the matter in hand.  

 

Most successfully of all, they shaped the narrative, referring to the event as an incident not an attack, which was picked up by the media, somehow removing the sting for customers. 

 

It’s crucial for travel companies to remember that a cyberattack is more than just an IT issue – it impacts a brand’s reputation. The way M&S handled their incident is an example to all travel brands – every part of your business needs to be ready for the inevitable online assault.