The company stuck to key information, consistency, and transparency
By James Watts, Managing Director at Databarracks
Norwegian multinational TOMRA specialises in state-of-the-art sorting and grading technologies for recycling, mining, and food. It’s perhaps best known for its reverse vending machines.
In the early hours of Sunday, 16th July, the company discovered a cyber attack had affected some of its IT infrastructure. It immediately disconnected several of its systems to contain the breach.
Most of its digital services are designed to run offline for a limited time – and it added further temporary measures to keep operations up and running. TOMRA’s cyber security team began migrating services to the cloud and restoring others. It hired a global cyber response team from Deloitte to assist with the ongoing investigation and response.
Communications
Rather than posting every piece of information, at the early stages of crisis comms it’s best to pare it back. It’s a difficult time, you may not have a complete picture of the situation and you don’t want to over-commit or share more than is necessary. Consider the critical needs you’re addressing – and share the minimum effective message.
TOMRA was transparent and concise from the get-go.
The most important thing at this point is to acknowledge the issue, provide some detail on what was done to address it, and what the next steps will be.
Since detecting the breach on 16th July, the company published eight updates about it on its website, and one open letter from its CEO and President, Tove Andersen. It stated that it has not been contacted by the attacker or asked to pay a ransom.
TOMRA is still dealing with the incident a month later. In its investigation, it found that the attack was in its reconnaissance stage on 10th July. The target was the company’s own internal systems and domain, rather than its customers.
Getting it right from the offset
TOMRA’s first post about the attack on its website stated that it had been targeted by an “extensive cyber attack”, that relevant authorities had been notified, and that systems had been disconnected immediately to contain the breach. The company also shared a contact email for any questions.
Getting ahead of the news, laying out the response, and inviting questions like this creates reassurance for the customer that you’re in control of the situation – and that you have a plan.
It also buys you time to focus on recovery without diverting resources to answering every email, phone call, and dm you get about the outage.
The update that followed was a recap of the situation so far, adding that “no new hostile activities have been detected,” and that most of its services are designed to run offline for a period.
The company gave a status update on each of its external services, and whether or not they were operating as usual or with limited functionality. This is the critical information their customers are looking for, written plainly.
The company’s third update was the same as the previous day’s, adding that no new threats had been detected. Though it wasn’t adding much new information, creating a regular schedule of updates in the early days of a crisis shows that you’re on top of the situation.
In its fourth update, it added new sections – ‘What we know about the attack’ and ‘How we work’ – along with developments on the previous day.
The company had successfully begun establishing digital services for its Reverse Vending Machines on a cloud platform. It also noted that the forensics team was making headway in establishing the “cause and nature” of the attack.
Here, TOMRA shared some key findings from its investigation so far. It established a clear timeline, starting with when and where the threat was detected, the discovery of some of the methods used in the breach, and the steps taken to isolate it.
It “found no trace of evidence that TOMRA clients, customers, partners or their systems are at risk from the attack.”
It added that it would “bring back services one by one as they are confirmed to be safe and secure.”
Leadership in a crisis means honesty and transparency
In an open letter – “The Value of Team Spirit in Challenging Times” – TOMRA President and CEO Tove Andersen addressed the attack, and wrote honestly about the impact it had on the company.
She mentioned how some questioned whether the company had been sufficiently prepared for an attack like this, and underlined its commitment to transparency.
“I have made this very clear: If we find out that information has been compromised, we will be open with those affected. I hope we won’t have to make that call to anyone.”
She ends the letter by thanking customers and employees and committing to coming out of the incident “an even stronger company”.
This impact of honesty and vulnerability in a crisis from the leader of a company this size shouldn’t be underestimated. This letter puts TOMRA’s people at the centre of its incident response. Combined with the steady stream of detailed information, it gives the impression of a team that’s giving its all to a single effort.
Keeping customers updated
Tomra’s sixth update breaks down the target, timeframe, development, investigation, and technical details of the attack. TOMRA’s own systems and domain were the target of the attack, with no evidence that customers were targeted.
Apart from reiterating the topline for customers – that their data is safe – this update showcases the progress the investigation has made – and the resources dedicated to it. It gives a fuller picture of the incident and response.
TOMRA’s last update is short and sweet. It’s coming to the end of the investigation, and the company has “a good overview of what happened.” It gave a status update on its external services – showing progress in the recovery – linked back to previous updates for continuity, and thanked customers and employees for their support.
Social media
In contrast to its site updates, TOMRA’s social media was pretty quiet on news of the attack. Apart from a couple of dispersed posts on LinkedIn – and none on Twitter (or “X” if you prefer) – crisis communications lived mainly on the website.
But it used its two LinkedIn posts well. One was a post on the CEO’s statement. The other acknowledged that the company had been quiet on social media in the two weeks since the attack, and explained that employees had been working “around the clock” to help customers get back to normal. It added:
“We are glad we can start sharing again our usual insights and information about what we care about most: enabling a world without waste.”
This kind of approach takes a crisis situation, like a cyber attack, and leverages it to reestablish the company’s mission statement. It informs clients and the public that there was an issue, that the company is dealing with it, and that the most important thing is still its core business values.
This is probably one of the company’s strongest responses throughout the incident. It’s informative enough to be a good placeholder post and gives the strong impression of being in control of the situation. For further information, it signposts and links its website’s updates.
Takeaways
TOMRA’s response to this cyber attack gives the overall impression of being pre-planned to a tee. The regular output of communications, consistency in tone, a growing amount of information, and concise recaps of the situation thus far wouldn’t have been possible without a highly prepped and practiced team effort.
When a disaster like this strikes, how well you know the drill can make a massive difference in your reputation management, which is vital to your Business Continuity Planning. Overall, we believe TOMRA’s communications during the attack are a great example of how to do it right.