How a Data Security Breach Can Be Used for Good PR

Hershey Corporation sent an email to its customers, notifying them that Hershey’s website experienced a data security breach. This incident was picked up by many online publications after the report surfaced on the Consumerist blog. People were fascinated to learn that the attacker only modified a single baking recipe, leaving the rest of the site untouched. I am interested in this incident because it presents an opportunity to learn from Hershey’s smart PR response to the breach.

Potential Effects on Consumer Data

According to Hershey’s notice, the compromised web server stored “consumer website registration information, including email addresses, birthdates and street addresses as well as passwords used to enter some of our sites.” This is probably the reason why the company notified the public about the breach.

Hershey has “no indication that any of this consumer information was compromised.” It’s very hard for an organization to definitively say that no sensitive data was compromised, which is why this form of describing the scope of the breach is often seen in breach notification reports. The implication is that the company went through reasonable efforts to determine what data may have been affected.

Highlighting the Importance of Recipes

While acknowledging the concerns over the security of consumer information, Hershey’s notice does a great job highlighting the strange circumstances of the breach, where the intruder altered only a single recipe on the compromised website:

"As you know, Hershey’s recipes are built on our legacy of offering the highest-quality products for more than 100 years. Consumers rely on us for this information, and we take the quality of our baking and cooking recipes very seriously. We have corrected the issue and taken steps to enhance the security of this information. We have thoroughly investigated the situation and reviewed the recipes on this site to ensure their quality."

From a marketing and PR perspective, Hershey is focusing the message on the integrity of its recipes. The implication is that if someone were to bother modifying them, then there’s something truly special about their contents—something that Hershey’s customers have been benefiting-from for more than a century.

Sample headlines related to the breach read:

I see the contents of Hershey’s breach notification notice as an excellent example of how companies can use a potentially negative event, such as a data security breach, for strengthening its brand. The approach of focusing the messaging on the modified recipe—seems to be paying off for Hershey, as the media’s coverage of the incident seems to be emphasizing on that strange aspect of the breach.

Hand-picked related posts:

Lenny Zeltser


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more