Graff Data Breach: Luxury Companies and Crisis Management

Graff, the jewellery company, is the latest victim of a hacking incident that threatens to publish the personal details of many celebrities and VIPs. Donald Trump, David and Victoria Beckham, Tom Hanks and Oprah Winfrey are reported to be among the victims of the Graff attack. We, at Communicate, were particularly interested to read about this incident since we specialise in media training courses for luxury brands, and we carry about crisis communications courses for several organisations in the luxury and premium markets.

According to The Times and various other media outlets, over the last few days, a group of cyber hackers called Conti believed to be based in Russia and is typically associated with attacks on hospitals and government departments, is behind the hack of the Graff databases.

It’s worth noting that recently, Chanel in South Korea has experienced a data breach, and earlier this year, premium menswear brand Boggi Milano was subject to a ransomware attack. Three years ago, Hudson’s Bay Co, the company that owns Saks Fifth Avenue, revealed that millions of US customers had compromised their data and card information due to a security breach.

What Can Be Done?

Quoted in The Times, Graff said: “Regrettably, we, in common with several other businesses, have recently been the target of a sophisticated — though limited — cyberattack. We were alerted to their intrusive activity by our security systems, allowing us to react swiftly and shut down our network. We have informed those individuals whose personal data was affected and have advised them on the appropriate steps to take.”

We advise our crisis communications clients, both those in the luxury and other sectors, to speak quickly after news such as this breaks. It’s a good idea to have a range of template crisis statements relating to the various issues ready to be amended to cover the details of an incident.

Graff has certainly responded quickly, which is something that we would commend them for. Their statement shows that they’re taking action, which, again, we’d approve of. During our crisis communications training workshops for luxury brands, we recommend that companies talk about the action they’re taking to remedy the situation and assist those who might be affected by it. Adding that many other businesses have also been attacked takes Graff’s focus – and therefore the pressure – off.

There are some other valuable messages here. The use of the word “sophisticated” implies that Graff’s IT systems are similarly cutting edge and high-tech. Adding “limited” will help to reassure anyone who might be impacted.

One of the messages that we talk about in our media training crisis comms workshops focuses on reassuring audiences. You don’t want to dismiss concerns or appear complacent, but putting the situation into context is essential, as is carefully countering the media’s temptation to blow things out of proportion.

Fashion United quotes other parts of the statement: “We notified, and have been working with, the relevant law enforcement agencies and the ICO.” This reference to talking to regulators, external experts and independent third-party organisations emphasises the seriousness with which the company has been affected it taking the situation.

What Could Be Improved?

However, one thing the statement – as we see it – misses out on is sympathy for the customers whose details might have been included in the breach.

We always recommend that organisations hit by any crisis begin their communications with an expression of sympathy and concern for those who might be affected. It could be customers, residents, employees, or bystanders. There’s no need to accept liability or blame at this early stage – a general acknowledgement of any upset or distress caused is enough. No doubt Graff has written to those directly concerned with the breach expressing something along these lines, but it’s worth putting the sentiment into a crisis statement as well.

Our Final Thoughts

Overall, we would say that Graff has handled this incident well. They acted quickly and put out a statement covering the points that we would recommend any organisation that suffers a crisis should include its messaging.

The incident shows that luxury houses and premium products companies are increasingly liable to cyberattacks, as with those in other sectors. We recommend that they act now to prepare themselves and to road-test their communications so that they minimise the effect of a crisis on their brand and maintain a favourable profile.