How recycling tech giant TOMRA showcased communications while battling a cyber attack

The company stuck to key information, consistency, and transparency.

Norwegian multinational, TOMRA, specialises in state-of-the-art sorting and grading technologies for recycling, mining and food. It’s perhaps best known for its reverse vending machines. In the early hours of July 16, the company discovered a cyberattack had affected some of its IT infrastructure. It immediately disconnected several of its systems to contain the breach.

Most of its digital services are designed to run offline for a limited time – and it added further temporary measures to keep operations up and running. TOMRA’s cybersecurity team began migrating services to the cloud and restoring others. It hired a global cyber response team from Deloitte to assist with the ongoing investigation and response.


Rather than posting every piece of information, at the early stages of crisis comms it’s best to pare it back. It’s a difficult time, you may not have a complete picture of the situation and you don’t want to over-commit or share more than is necessary. Consider the critical needs you’re addressing – and share the minimum effective message.

TOMRA was transparent and concise from the get-go.

The most important thing at this point is to acknowledge the issue and provide some detail on what was done to address it, and what the next steps will be. It stated that it had not been contacted by the attacker or asked to pay a ransom.

TOMRA posted its last update on 25 September. Its investigation found that the attack was in its reconnaissance stage on 10 July, and the target was the company’s internal systems and domain, rather than its customers.

Getting it right from the offset

TOMRA’s first post about the attack on its website stated that it had been targeted by an ‘extensive cyberattack’, that relevant authorities had been notified and that systems had been disconnected immediately to contain the breach. The company also shared a contact email for any questions.

Getting ahead of the news, laying out the response and inviting questions like this creates reassurance for the customer that you’re in control of the situation – and that you have a plan. It buys you time.

The update that followed was a recap of the situation so far, adding that ‘no new hostile activities have been detected.’

It gave a status update on each of its external services, and whether or not they were operating as usual. This is the critical information their customers are looking for, written plainly.

In TOMRA’s fourth update, new sections were added – ‘What we know about the attack’ and ‘How we work’ – along with developments on the previous day.

When it was able to, TOMRA shared some key findings from its investigation so far. It established a clear timeline, starting with the detection of the threat and the steps taken to isolate it.

It ‘found no trace of evidence that TOMRA clients, customers, partners or their systems are at risk from the attack’. It added that it would ‘bring back services one by one as they are confirmed to be safe and secure.’

Leadership in a crisis means honesty and transparency

In an open letter – “The Value of Team Spirit in Challenging Times” – TOMRA President and CEO, Tove Andersen, addressed the attack and the question of whether they had been sufficiently prepared, writing honestly about the effect it had on the company.

The impact of vulnerability in a crisis from the leader of a company this size shouldn’t be underestimated. This letter puts TOMRA’s people at the centre of its incident response, forming the impression of a team in sync.

Keeping customers updated

TOMRA’s sixth update breaks down the target, timeframe, development, investigation and technical details of the attack. This update showcases the progress the investigation has made and the resources dedicated to it. It gives a fuller picture of the incident and reiterates the topline for customers – that their data is safe.

Through August, the company continues with status updates on external systems and recovery progress. They don’t add much new information, but they demonstrate a desire to keep customers and industry in the loop.

By September, TOMRA’s update is focused more on recovery. It lays out its plans for building resilience, including MFA, migrating to Zero Trust Architecture and centralising its vetting process for IT hardware.

Its final update has it all. It starts with a recap, runs through recovery, key findings from the forensics report, comments from Andersen, strategies for rebuilding with greater resilience the lessons learned and changes made. It signs off as the final dedicated update on the attack and shares a communications email address.

Social media

Though sparse on social, TOMRA used its two LinkedIn posts well. One shared the CEO’s statement, the other acknowledged that the company had been quiet on social media since the attack and explained that employees were working overtime to help customers get back to normal. It added: “We are glad we can start sharing again our usual insights and information about what we care about most: enabling a world without waste.”

This approach leveraged the crisis to re-establish the company’s mission statement. It informed readers that there had been an issue, that the company was dealing with it and that the priority was still its core business values.

This was probably one of TOMRA’s strongest responses throughout the incident. It’s informative enough to be a good placeholder post and reaffirmed control of the situation.


TOMRA’s response to this cyberattack looks pre-planned to a tee. The regular output of communications, a growing amount of information and concise recaps of the situation thus far wouldn’t have been possible without a highly prepped and practised team effort.

When disaster strikes, how well you know the drill can make a massive difference in your reputation management, which is vital to your Business Continuity planning. Overall, we believe TOMRA’s communications during the attack are a great example of how to do it right.

Visit us:


Databarracks Ltd
1 Bridges Court
SW11 3BB

Get in touch:

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.