For Uber, sorry seems to be the hardest word
My parents brought me up to believe that if you’ve made a mistake that affects other people, the first thing you should do is apologise to them.
It’s more than just ‘good manners’ – it shows that you understand you did something wrong, that you acknowledge you’ve caused a problem, and signals that you’re willing to fix it. It’s also an important step towards regaining the trust of those affected by your mistake.
So why is it that many businesses find it hard to say ‘sorry’ after an incident that affects employees or customers? This morning, I woke up to the news that the ride-sharing firm Uber had been hacked in late 2016, and had the personal information of 57 million of its customers and drivers stolen. And in response, the firm paid the hackers $100,000 to keep quiet about the breach, and failed to notify the individuals affected, and the data regulators in the countries in which it operates.
I’m not going to go into detail about the company’s security practices that enabled the breach to happen in the first place, nor into the whys and wherefores of the company not reporting the incident: you can read about these elsewhere.
However, I was amazed when I read the blog post attributed to Uber CEO, Dara Khosrowshahi, which revealed the incident and described the company’s response to it. As crisis management and response is a core part of what we do for our clients, the blog text either overlooks, or completely ignores, some absolutely critical points which should be considered essential when trying to rebuild customer confidence after an incident.
Here are the points which any company should take care to avoid when preparing or issuing a public crisis management response.
The blog starts off well, acknowledging that “we have to be honest and transparent as we work to repair our past mistakes.” But it then goes off the rails.
“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.”
Uber’s 57 million customers and drivers whose data was breached don’t care about the company’s corporate systems or infrastructure; they want to know who’s got their data. The lesson here is don’t talk about yourself: talk about what matters to your stakeholders that are affected by the incident.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.”
As an Uber customer myself, I feel truly reassured that the company paid $100,000 to a couple of hackers with the request that they keep quiet about the hack, and delete all the data they stole. After all, if you can’t trust a criminal, who can you trust? The point is that it’s a matter of public record that Uber tried not to disclose the incident, so don’t try and dress it up with a veneer of responsibility. At least be honest about the mistakes.
The blog then gets somewhat back on track by describing the remedial actions that are being taken. It then concludes with: “None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
That’s good – but there’s just one small, but vitally important detail missing: ‘sorry’. Not once in the entire text is there any hint of an apology: not for the massive hack of data, and not for the subsequent year-long silence about it.
Of course, this all happened before Khosrowshahi joined the company. And his blog is right: he can’t erase the past – a past in which the company has repeatedly been accused of being ‘arrogant’. But because the blog doesn’t contain an apology for the whole incident, it does nothing at all to address those accusations.
If the company truly is “ … changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers”, then a simple, clear and unambiguous apology for previous mistakes is an excellent place to start. Is sorry really so hard to say?