How Marriott is blowing the data breach debacle
Updated: Dec 13, 2018
Burying your head in the sand is never the answer.
It's been almost a week since the news broke that hackers may have stolen data from upwards of 500 million guests of the Marriott-Starwood hotel chain. As the hours and days have progressed, how Marriott has communicated - or rather, not communicated - to its customers and to the general public is a case study in how not to handle a crisis such as this.
The immediate and primary goal of crisis communications is to quickly and accurately message that 1) the company is acutely aware of the problem; 2) is serious about the extent of the incident; and 3) is taking aggressive action to repair the current hacking attempt and prevent future attempts. Unfortunately for Marriott, it's failing on all of these key messages.
Let's look at what they are doing wrong.
Email Marketing - within hours of the news, every customer should have received an email alert. In full transparency, I am an elite status member of the Starwood and expected to receive an email immediately. Nothing. News reports have stated that they are proceeding to email their customers, but this is taking far too long. And, it should not - as with any good communications strategy - result in just a single email. No, Marriott should have delivered an email immediately alerting thieir customer base around the three key messages above, and even if they do not have all of the details, promise to follow up. Then, over the course of the next several days, subsequent emails would provide additional details, FAQs, and action steps.
Website Communications - While both Marriott.com and Starwood.com have an alert bar, it's only present at the top of the page. Scroll down, and it's gone. I'd argue that a persistent tile or lightbox should have been used, requiring the user to click to collapse it.
Further, the link provided goes to a third-party site, with so much legalese that it makes some credit card terms and conditions look easy to read. Obviously this was dictated by the legal team, to likely limiit liability, but it truly is an aweful way to message around the incident. The branding (lack their of), the style and the overall UX screams 'we don't care' to any viewer.
Worse, the key remedy of providing free web monitoring via WebWatcher, is buried on the page. This would have been a key message to elevate onto the home page, into email and spread across other digital channels. I suppose the takeaway is that Marriott was forced to provide this service but doesn't really want to talk about it, as it will just cost them more money.
Mobile Apps - the SPG mobile app also has buried the link and isolated it to the botttom of one of the screens. Again, it would behoove the brand to communicate more clearly and aggressively. Minimizing the link just sends the message that the breach just wasn't that big of a deal.
Social Media - This is probably the most egregious mis-fire. You would think that the brand would use these news distribution platforms to reach and reassure customers. Nope. No tweets, no Facebook posts. Nothing. What's always humorous is the response by Facebook users when a brand is actively hiding. Just check out any of the comments underneath the regular "feel good" posts on the Marriott Facebook page and you'll see what I mean. It's a clear sign that Corporate Affairs/PR took over. I'm sure if they had a choice they would have wanted to shut down all social media interactions altogether. I mean, why even engage with real people around real concerns?
Ok, so why should a brand embrace the issue, communicate aggressively and call attention to its warts? I mean, why walk straight into the fire of your own making if it just means you are going to get burned.
For just one critically important reason: Trust. What is a brand if it is not an emotional connection with a customer that is built on trust? And what is more to be trusted than one's own private data? That's why a data breach is just such a crisis of brand trust. Literally it's a breach, not of data, but of trust.
A 2016 study found that 66% of U.S. adults would stop doing business with a company that suffered a cyberattack. Extrapolating worldwide from Marriott's 2017 revenues of $23 billion, that's a potential loss of $15 billion. Gee, you think this would dwarf the legal liabilities, the cost of a web monitoring service or the short-term loss of business in calling attention to the problem. But maybe that's the problem - a short term corporate solution to make the C-suite feel good - rather nurturing trust over the long term.
What do you think?
Update: I finally did get an email from Starwood on December 9, over a week since the breach was first announced. As mentioned above, this email communication was way, way too late. While the adage, 'Better late than never' usually applies, in this case, it leaves a lot of loyal customers in the dark for too long.