Marriott Responds to Breach Crisis With Fairly Good Outreach
Marriott International Inc., the world’s largest hotel company, now has the distinction of bringing us the third-largest data breach. The news, which broke Friday, was shocking — 500 million guests’ accounts accessed from the reservation system of the company’s Starwood unit. But the hotelier did a decent job of communicating the crisis.
The company’s Nov. 30 press release had some good information, though Marriott was tweaked for what some viewed as a delay in going public (cybersecurity experts are also saying it should have been caught earlier). The statement revealed that Marriott first got an alert about the possible breach on Sept. 8.
Of course, breaches present challenges in determining whether they actually happened, what data was actually accessed, and whether any was actually taken. Marriott learned that the unauthorized access began in 2014 and that data had been copied and encrypted. It wasn’t until Nov. 19 that it decrypted the information and knew for sure it was Starwood’s. Marriott provided this information in the release.
The quote in the statement from CEO Arne Sorenson was fairly strong and was picked up in many articles: “We fell short of what our guests deserve and what we expect of ourselves,” Sorenson said in part. “We are doing everything we can to support our guests.”
We fell short of what our guests deserve and what we expect of ourselves.
— Marriott CEO Arne Sorenson
The release noted that Marriott had set up an informational website (info.starwoodhotels.com) and a call center. It was sending email notifications to customers and offering a service that would notify them if their personal data was found on other sites. Guests’ passport information may have been taken and the company has now said it will reimburse replacing them if that data is used improperly.
One unusual aspect of the Marriott press release: The company noted that it would file a required form with the U.S. Securities and Exchange Commission that would include the press release and “certain other information with respect to the incident.”
That other information, apparently intended to appease shareholders, was that the company carries cyber insurance and that it was too early to tell what the breach’s financial impact would be (its stock dropped more than 5 percent on the announcement).
The extent of the breach (the two bigger ones were both at Yahoo) makes it especially disappointing that Bethesda, Maryland-based Marriott didn’t make its executives available to journalists on Friday, according to The Wall Street Journal. A breach of this size requires the company to be out and open and fully transparent to regain the trust of its customers and stockholders.
While the data intrusion goes back to 2014, Marriott didn’t buy Starwood until 2016. The parent didn’t make much of this in its communications, which was probably smart, as the breach continued once it did take control. (News coverage mentioned problems Marriott is having integrating Starwood’s computer systems into its own — including the loyalty programs.)
The New York Attorney General and European regulators said they were investigating the breach. The New York Times quoted an analyst opining that it could lead to the first large fine under Europe’s new data-protection law.
Also noteworthy: Within hours of the breach announcement, enterprising plaintiffs’ lawyers filed lawsuits seeking class-action status on behalf of Starwood guests, and a securities class action was filed the next day. The new litigation will also require a nimble communications response.
Photo Credit: Andrea Delbo/Shutterstock
This is an abridged version of an article that appeared today on the CrisisResponsePro paid subscription portal. (CrisisResponsePro subscribers can access the full version by clicking here. ID and password are required.) To take advantage of all of the content, data, and collaborative resources CrisisResponsePro has to offer, contact us at firstname.lastname@example.org.