Do you use Canva? I do… I love it. And I love the company more after this weekend.

This weekend, they had to send a difficult email telling users that their system was hacked. Never a fun message to give loyal clients (I know; I’ve done my share of communication for bad PR in my career).

But the company did it right as far as I’m concerned (well, 80% right—there were a few things that could have been better). The email communications actually increased my trust in Canva at a time when I could easily have been furious. For the record, a lot of people are furious—most stories about this bad PR incident are critical of the company. I’m sharing why, as a user, I’m happy with how they handled the situation via their email communications about it.

What they did right: honesty and transparency

Canva sent a message as soon as they knew what was really going on (and after alerting authorities). Many people get angry when there is a lag between the incident and the communication, and often that is justified. It’s not great for users to hear about these things on social media. HOWEVER, you don’t want to tell them something that isn’t accurate. It’s a very hard balance for a company in the middle of a crisis. To me, 24 hours was appropriate amount of time.

canva security breach and bad PR

The first email was clear and concise. They started with some exciting news, then mentioned the data breach and advised users to change their passwords. It was calm and honest. The reason it was calm and kind of “hey, no biggie, but this thing happened…) is because at that moment, they didn’t know how big of a deal it was. They did know they had to tell their users about it and get them to take protective action WITHOUT TOTALLY FREAKING THEM OUT.

In all fairness, I did not open that message (more on that in what they did wrong).

Canva then sent a follow up message the next day. This message was all about the breach They didn’t sugar coat the problem, they didn’t make excuses. They laid out the facts and told users what to do. Honest, transparent, clear, and concise. No drama, no overly long explanations. It did what it needed to do.

I appreciated that and immediately changed my password. I know they’re working with the authorities and I feel reassured. That is why this morning, my trust levels in the company are higher.

The takeaway: be honest with your people, but don’t be alarmist. When something happens, like a data breach, calm transparency goes far in restoring trust. Histrionics, gaslighting, avoiding the truth will hurt you. Yet, I’ve seen so many situations where that is the first instinct.

email communication samples

What they did wrong (or the importance of email subject lines that get opened)

When I popped onto Facebook yesterday morning, the first thing I saw was an angry post about the situation from a friend who learned about the breach on Facebook. There were a few other steaming mad comments about how that was NOT the way to learn about a data breach (they are right, it’s NOT the way to learn about it).

I mentioned the emails, to which my friend said “what emails? I didn’t get anything.”

And that is what Canva did WRONG.

I suspect my friend did get the emails, but didn’t open them because.…

The subject lines were AWFUL.

Listen, if you want people to open your email you need to give them a subject like they will open.

The subject line of the first email was (hold on)… Your Canva Account.

Seriously, I fell asleep writing that. Did they really think anyone would open an email with that subject line?

The subject line of email 2 was a little bit better, and I did open it. It was: Important Information About Your Canva Account.

Still a snoozer, but at least they were trying to get my attention with the word Important (a word that has high conversion rates).

In both, the preheader said “Please update your password.” Good because that’s the important action they wanted us to take. But in email 1 it failed to grab my attention because the subject line was so boring.

In email 2, the combination of the word Important and the preheader CTA to change the password is what got my attention and made me open the email.

I’m not a fan of fear mongering or wild exaggeration in email subject lines… unless it is warranted. And in this case, it was warranted.

Email 1 would have worked better if it was something like: Canva was hacked, protect your account. That would have gotten my attention!

How about for email 2: Important information about the Canva hack.

They did a good job with the body of the emails and then fell short on the subject lines—which means a whole lot of customers never read those emails. I’m curious what their actual open rates on these messages were. I’m willing to wager low based on the Facebook chatter yesterday morning.

Takeaway: Don’t shy away from a direct message. A crises is no time to be coy. Canva NEEDED users to open those emails, but gave us no incentive to do so. Big mistake. (For email subject line inspiration, check out my email subjects lines swipe file.)

Data Geek alert: why this stuff matters

Before this whole data breach happened, I had come across some data from Global Sign (an SSL security company). They found that more than three quarters (77%) of people fear their data is going to be misused. You have to reassure them it isn’t, and if it is, you gotta be honest about it!

Any way, I popped over to Canva to create this pie chart based on the data because, while not directly related to communication, it is important to remember.

People want to know you take their privacy and data seriously. How you communicate plays a huge role in building and maintaining that trust.

Be honest. Be transparent. Be calm. Tell the truth.

I believe it’s not the ability to completely avoid mistakes and disasters that make people feel valued; it’s how you deal with it.

data about trust and website security