5 essential tips for customer care people dealing with technical queries

It happened again. Well actually, it happens all the time but I got inadvertently drawn into it again. I’m referring to this:

@stereosky @scampreturns @troyhunt All data on our system is totally secure. We take these concerns seriously tho & we're already...

Totally secure! Not just “pretty” secure or “really” secure but totally secure! I need to learn how to do that.

Now this was in response to the following tweet:

So @wishgenie hasn't responded to my tweet about sending my password in plain text. Just so you know. It's apparently not that important

This is a familiar banter; a concerned customer raises a valid point about the technical implementation of a system and they’re brushed off by a customer care Oompa Loompa with a totally insufficient or incorrect response and then things escalate from there. It’s exactly what happened when Tesco did this a few months back:

@troyhunt Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.

That now infamous tweet has been retweeted over 2,000 times and the subsequent blog post read about 150,000 times. Bugger for Tesco.

The problem, of course, is that customer service folks are usually the coalface for the organisation’s social media presence are simply not equipped to provide technical responses and nor should they be expected to. But there are a few simple tips they could apply that would save them from spiralling into an unwinable online embarrassment.

1. Never get drawn into technical debates

Customer care attempting to justify technical positions is nothing more than bringing a knife to a gunfight. I’m generalising here because there are inevitably cases where technical people man the corporate Twitter feed but that doesn’t tend to happen in large organisations. In most cases, there are dedicated support folks who are trained specifically to deal with customers – that’s their expertise.

Take the Tesco example above; this is an entirely nonsensical statement and the reason it has been retweeted a couple of thousand times is because frankly, it makes them look stupid. It’s stupid to the point of being humorous.

But of course there shouldn’t be any expectation for the social media coalface of a large organisation to understand the intricacies of cryptographically secure password storage – that’s not what they’re there for. STEP AWAY FROM THE KEYBOARD! Customer care is highly unlikely to add any value to a discussion like this and can very easily turn a simple discussion between two people into a public embarrassment.

2. Never allow public debate to escalate

The exchange with wishgenie earlier on wasn’t the beginning of things, you have to go back a few days for that:

Wow, @wishgenie. You sent me my password in plain text? Wow. Don't want to know how it's being stored either.

At this point, the customer posted on their public timeline and merely mentioned wishgenie and that was the extent of it. Unfortunately wishgenie was a little slow off the mark in responding which was the catalyst for a follow-up tweet. That in turn garnered support from a follower who also included me in the thread:

@wishgenie @scampreturns @troyhunt Yes please. We would all love to know how you securely store passwords in plain text :)

Unfortunately, because wishgenie wasn’t able to respond before the customer prompted them again, the whole thing escalated. Their earlier response about “all data on our system is totally secure” naturally escalated things even further.

3. Always take potentially volatile discussions off the public timeline

Let me share an exchange I had earlier this week with St. George bank:

Unimpressed that @StGeorgeBank keeps having Indian call centres from unlisted numbers phone me at odd hours and ask for personal

See that? One simple response in less than 140 characters achieved the following:

  1. Showed a genuine concern for the problem I raised
  2. Gave me a means of making direct contact (they followed me to allow DMs)
  3. Didn’t make any public excuses or other assertions
  4. Took the discussion private so there’s no public sharing

That third point is particularly relevant as it’s what went wrong with both wishgenie and Tesco; they’ve both let themselves get drawn into a public debate which was then weighed in on by numerous other parties. Instead of immediately shutting the problem down (at least publicly), they both poured fuel on the fire.

4. Make technical people available (privately)

Customer care folks are not going to be able to adequately address issues of a technical nature such as the ones above. Now mind you, we’re not always talking about security, sometimes it’s about browser compatibility or performance or any other number of topics related to the technology domain.

The only way to properly address these concerns is to involve someone who actually understands them. In the Tesco case, if someone had privately contacted me and said “Look, here’s why things are as they are and here’s what we’re doing about it”, that would have been it. I almost certainly wouldn’t have followed up and picked more holes in their implementation.

5. Never be dismissive

Regardless of the subject matter, if someone raises a genuine concern and they feel like they get the brush off, it’s going to get under their skin. What do I mean by “brush off”? Here’s a good example:

Continued assertion that Tesco security is "robust"

Frankly, this verges on being patronising and at the very best is dismissive. Here’s someone who raises a genuine concern and gets a very generic, broad response in return. It does nothing to address the actual issue the customer raised (or in this case, drew attention to) and at the very least, they could have reverted to point 2 above and asked to be DM’d with any concerns. In all likelihood the customer may not have even followed up, but at least they wouldn’t have been left feeling dismissed.


In their defence, it does appear that wishgenie is no longer emailing passwords and is instead sending a reset. Does that mean they’re implemented cryptographically secure hashes? You decide:

@stereosky @scampreturns @troyhunt …implementing a change to how we send passwords which we'll get live as soon as poss.

Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals