Why Sobeys has stayed silent on its 'IT systems issue'

Dartmouth, Nova Scotia, Canada - September 30, 2011: Looking up at a tall Sobeys grocery store sign set against blue skies.  Sobeys is the second largest food retailer in Canada, with over 1,300 supermarkets operating under a variety of banners. Headquartered in Stellarton, Nova Scotia, it operates stores in all ten provinces and accumulated sales of more than $14 billion CAD in 2009.
Sobeys says that pharmacy locations are now fully operational, and that while the grocery retailer is still dealing with challenges, "our network is flowing well." (Getty Images)

As Sobeys continues to resolve an "IT systems issue" that is being investigated by at least two provincial privacy commissioners, experts say the company's lack of communications may be necessary but could hurt the brand's reputation.

Sobeys parent company Empire (EMP-A.TO) first issued a brief statement last Monday, notifying investors and the public that its stores had been impacted by an "IT systems issue" that had created technical difficulties with some in-store functions, including the fulfilment of prescriptions. The company has not issued any further releases about the episode, but said in a statement provided to Yahoo Finance Canada on Tuesday that pharmacy locations are now fully operational, and that while the grocery retailer is still dealing with challenges, "our network is flowing well."

"Our company is working tirelessly to resolve the issues we are experiencing with our technology systems," Sobeys external communications specialist Tshani Jaja said in a statement.

"We are receiving products, delivering them to our stores to replenish shelves, and serving our customers. Throughout our national store network, customers are once again able to activate and redeem gift cards, as well as to earn and redeem loyalty points."

Sobeys did not respond to questions about whether the ongoing issue is linked to a cybersecurity incident, when it first started or whether any customer data was put at risk.

However, two privacy watchdogs say they have received data breach reports from Sobeys. Both Quebec's access to information commission and Alberta's privacy commission have both been notified of a "confidentiality incident." CBC News, citing employees, also reported this week that a ransomware attack is to blame for the incident.

With limited information released by Empire to customers and investors about the issue, speculation has run rampant online into the cause of the systems issue, something Kaiser & Partners president Janine Allen says could have been prevented had the company communicated about the issue more clearly.

"In the absence of information directly from a company, rumours and speculation run rampant. Others will step in and fill the void of communication. And when that happens, you've lost control of the issue," Allen said.

"That's what Sobeys is letting happen by not responding to inquiries and failing to communicate or update its customers, partners or other stakeholders... Hoping everyone will forget, or waiting for the next news cycle is not a reputation management strategy."

Crisis communications lessons

But some say there is a key reason behind the silence from Sobeys. Greg Vanier, the national lead of communication firm Edelman's Data Security and Privacy Group, says in an interview that companies which deal with cybersecurity incidents often opt to limit the information that is disclosed.

Vanier says the fact that cyber attack incidents can take time to resolve can make it difficult for companies to respond in real-time. A quick response could also potentially trigger further actions from the threat actor, he says.

"Security incidents take a long time to understand. It can take a while to figure out what the impacts and consequences are," Vanier said, adding that often, third-party experts are brought in to do comprehensive reviews to confirm what happened with certainty, which could take weeks to months.

"I think that Sobeys is picking the path that they have to... From a reputation perspective, there is no advantage, but from an investigation response and legal perspective, they (may) need to keep calm right now."

Still, Allen says that while companies may have been limited in terms of what can be disclosed in the initial days of dealing with a cybersecurity incident, it's important to be as transparent as possible.

"From a crisis communications perspective, I don't believe there's any advantage to staying silent, even when you don't have full information," Allen said.

"People will be more likely to believe you're trustworthy and come back to you even if you are communicating that you don't have all the answers yet but are showing a bit of empathy to the concerns of stakeholders."

Mark Sangster, chief of strategy with cybersecurity firm Adlumin who has worked with companies that have dealt with cybersecurity issues, says messaging is critical in the event that companies have fallen victim to online attacks.

"Details are important. When I advise companies, I stress being adaptable and providing accurate information rather than being ambiguous," Sangster said.

"You don't have to have all the answers. But what you do want to show is that you're empathetic and that you're being as meticulous and forthright as you can."

Alicja Siekierska is a senior reporter at Yahoo Finance Canada. Follow her on Twitter @alicjawithaj.

Download the Yahoo Finance app, available for Apple and Android.