It’s been a wild week for Aussie unicorn Canva, with the bumper news of two acquisitions and a huge $3.6 billion valuation being dampened somewhat by a breach that’s seen the data of 139 million users stolen.
Canva has said it detected the data breach on Friday, May 24, and users were informed the next day. However, it’s not the breach itself that has affected users riled up, it’s mostly the manner of communication.
The initial email telling customers about the breach has been criticised for leading with positive news, as well as new t-shirt printing capabilities in the US.
It’s not until the second paragraph the email reveals “we have today become aware of a security incident”.
Hey @lizmckenzie and the @canva team this is not how you start an email telling your customers you’ve been breached. #infosec #fail pic.twitter.com/XJdB3xcWEl
— Dave Hall (@skwashd) May 25, 2019
Well now you can make a t-shirt with some stock photos that reads, “My Canva Got Hacked & All I Got Was This Stupid T-Shirt”
— Dooner (@TimothyDooner) May 25, 2019
PSA: @canva has had a #databreach. Their email is marketing fluff, but it’s change your Canva password data. Seriously, we need a mandated template for this stuff.
— Kathy Reid: Tinker, `tail`er, Solder, Spry (@KathyReid) May 26, 2019
The wording of the email has been criticised by Twitter users as “marketing fluff” distracting recipients from important security information.
In a later email, the messaging was changed to lead with the details of the breach.
It appears some users received the first version of the memo, while others received the updated version. Others again have reported not receiving an email notification at all.
In a statement shared with StartupSmart, Canva said the second version of the email was sent in response to some of the feedback.
“We listen to our customers’ feedback very carefully. We had some early feedback, and iterated on the email immediately,” the statement said.
“We have also been communicating to users within the platform, on social media, and via our customer support channels.”
The statement confirmed passwords were obtained in their encrypted form, meaning they’re currently unusable to external parties.
News of the breach first broke when the hacker themselves tipped off tech news site ZDNet, saying they had taken the data of about 139 million Canva users.
The hacker breached Canva’s systems and downloaded “everything up to May 17”, before Canva detected the breach and shut down the server, they reportedly told ZDNet.
Stolen data includes customer names and usernames, as well as email addresses and city and country information.
ZDNet verified the claims, it said, by requesting a sample of the data. The publication received data for more than 17,000 accounts, including account details for Canva staff and admins.
Canva then verified the validity of this data, the ZDNet story said.
The breach comes just days after two huge Canva announcements. Last week, the Aussie unicorn announced it is acquiring stock photography websites Pexels and Pixabay.
A few days later, Canva announced it had closed a $101 million funding round valuing the company at $3.6 billion.
At the time, co-founder Melanie Perkins told StartupSmart the new funding will be used to grow awareness of Canva on a global level, with schools and Fortune 500 companies being potential growth areas.
“We’re raising this round to get into every workplace across the globe,” Perkins said.
Fluffing around the problem
Speaking to StartupSmart today, Felicia Coco, co-founder and director of startup-focused PR firm LaunchLink, said something that can often happen with startups is “they’re not prepared for these things to come up”.
When you’re working with people’s personal information, there are always certain risks you have to consider, she says.
“As you grow as a startup and you gain more awareness and you are on the radar of more people, the chances of something like this happening do grow.”
Startups should always have “a plan of attack in case something like this does happen”, she adds.
At its core, this is a trust issue, Coco says. While the data has been compromised, users want to know exactly what is going on, and they want the company involved to be straight with them.
“Because you’re talking to such a wide audience, there is a temptation to minimise it or soften the blow,” she explains.
But, having worked with companies managing data breaches herself, when they haven’t gone well it’s been “because we fluffed around the problem”, Coco says.
“You have to get straight to the core of the issue, let people know what’s happening in as much detail as you can, and then you want to follow up and keep them updated,” she says.
“Give a really clear breakdown of what the situation is,” she advises, even if you don’t know the full details yourself.
“It’s really good to issue a heads up to the key stakeholders,” she adds.
And that includes anyone with a vested interest in the business, including users, the media and the wider public.
Finally, Coco suggests announcements about data breaches, or other significant bad news, “really need to come from the top”.
Startups should address the situation in a formal way, and give an official and clear statement.
“And it needs to come from the CEO,” she says.
Users want a rundown of what has happened, and how they’re going to move forward, and that’s how they can start working towards rebuilding that trust.
“They need to have clear steps about how they’re going to address the specific situation and how they’re going to work towards ensuring that this doesn’t happen again,” Coco says.
For Canva, specifically, no account has actually been breached yet, Coco points out.
“They’re a fantastic company,” she says.
“They will absolutely bounce back from this.”
However, their response to the weekend’s data breach potentially stands as a warning sign to other companies that may not have the same traction or as high a profile, and may not have the ability to bounce back.
“We have to really get tight with these strategies,” Coco says.
Right Click Capital partner Benjamin Chong also stresses the importance of being open and upfront with users in the case of any crisis.
Mistakes happen, he says, and “most users will respond well to companies who are forward about it”.
This is largely about giving those users the ability to act on the information as soon as possible, by changing their passwords on the affected site and anywhere else they may use the same one.
“You want to give your users as much opportunity to do what they need to do to protect themselves,” Chong says.
Do this well, and “you can use this as an opportunity”, he adds.
For Chong, the Canva breach serves as “a reminder for everyone” to ensure they employ good cyber security practices.
Also, startups should learn the value of having a plan.
“Have a disaster-recovery plan and a comms plan, so that it’s ready to go if you need to share things,” he advises.
Even if there’s only a very small chance of something happening, if you have pre-planned responses using best-practices from experts, “then if you do get caught, you’re able to respond quickly and clearly”.
For any startup, the more you grow, so to do your chances of being breached.
“You’re likely to have more users, and therefore, if an attacker is able to breach your system, they’re able to get more access to more user data,” Chong says.
“I would suggest all startups wanting to grow put in place the necessary safeguards.”
NOW READ: Human error (not hackers) behind most data breaches in Australia
NOW READ: “It will essentially put them out of business”: Aussie AA Bill a threat to local startups