The Background to the OpenSea Email Leak Situation
OpenSea is the largest NFT (non-fungible token) marketplace in the world. It was launched in 2017 by Devin Finzar (now CEO) and Alex Atallah (still on the board but stepped away from day to day activity). It became a unicorn company (valuation about $1bn) in 2021 and was valued at $13.3bn in 2022. If you are not sure what an NFT is, I can best describe it as a digital-art-marketplace that is based on Crypto technology. In June 2022 OpenSea had an email related crisis communications issue
The OpenSea Crisis Communications Issue
OpenSea announced via a blog post written by Cory Hardman (Head of Security) that its entire customer email address database has been downloaded and shared by a third party provider (Customer.io). In its own piece on the situation, The Guardian puts the number of people affected at 600,000.
In the Cory Hardman blog post, the company warns users to be on the lookout for phishing scams (where the data thief baddies try and trick you into giving your password or other important information).
The situation has reached mainstream media for the obvious reason that the brand operates in a very high profile and in-demand sector right now but there are other factors to consider. On of the wider factors is that the Crypto and NFT industries are proving to be very attractive to children (secondary school level) because of the celebrities and influencers talking about the marketplaces.
In some instances schools are using the draw that these digital marketplaces and crypto currencies have with kids in order to get them more interested in maths. This is not a bad thing in its own right and I think it is actually very forward thinking of the schools to be doing this. As respected journalist Felicity Hannah tweeted in July 2022, there are now even magazines about this industry being targeted at kids.
The result of the NFT and Crypto sectors being brought into parts of the curriculum and in magazines like the above is that kids (rightly) want to get involved and encourage their parents to help them. In most cases parents will research how to do this and, due to the high ratings of OpenSea on review sites, this will be the platform that is chosen.
This is just one of the factors mentioned above that has brought the OpenSea email breach mainstream.
How has the OpenSea Crisis Communication Situation been Handled?
As reported in Engadget, this is not the first time that OpenSea has faced data issues. With this in mind you would have thought that would have had a more robust crisis communications plan in place.
There were two immediate issues that raised red flags for me as a person who has worked on crisis communications campaigns similar to this.
One. Putting the blame onto a third party. I fully understand why the company has done this but throwing a third party supplier under the bus in the first paragraph of company statement really is a no-no from a crisis communications point of view. For me, the company should have outlined the issue and risk in full, given its advice on how its customers could protect themselves and then got into the narrative of how it happened.
Two. The CEO should have been leading from the front and the statement issued in his name. If this was the first data breach that the company had faced then I could, at a push, have been convinced that it was right for the Head of Security to have been tasking the lead on the media front. This is not the first crisis communications issue though and my advice would have been to use the most senior person at the company to front up all communications. They should have been pushing him out pro-actively to the media as soon as the company blog post (that should have been in his name) went live,
The above two points really are the basics of the crisis communications playbook.
The timing of the email announcement (1st July, around 11pm UK time on a Friday evening) to all customers is another tricky issue. The company could address the late timing issue due to global time differences but the fact it was also sent on a Friday is another thing that does not point towards strong communications strategy and looks more along the lines of trying to bury bad news.
The mainstream media wrote about the blog post on the 30th June and the OpenSea security update blog post was made live on the 29th June. The company should have issued that email communication to all customers at the same time as the blog post went live. This would have been in line with common, and best practice for a crisis communications situation.
Can OpenSea recover from this Crisis Communications Situation?
100% yes. Not least because they are in the fortunate position of being the largest operator in its sector and as such they will continue to be the first port of call for new consumers.
The CEO Devin Finzar does need to get out there now and try to get the company ahead of this story. Again though, OpenSea is in a fortunate position in that the NFT and Crypto industry is generally in the eye of the media at the present time and this means new stories will come along that will push this issue down the news agenda, and more importantly, down the search engine ranking positions (SERPS) in Google.
If another data breach was to affect the company within a relatively short period of time, OpenSea could find itself battling to maintain its reputation and customer base and this is where things like rebrands, mergers that could facilitate a rebrand, or an acquisition to pacify its nervous backers, could come in to play.
Crisis Comms Brand Risk Score: 4/10
Crisis Communications Management Score: 2/10
Leave a Reply
You must be logged in to post a comment.