Marriott: A crisis response gone wrong

Marriott rocked customers and investors last week after disclosing one of the biggest data breaches of all time with up to 500 million customers impacted. The data at risk includes things like email addresses, mailing addresses, phone numbers, and passport numbers. Encrypted customer credit card information was also compromised, but it's too soon to tell whether the keys necessary to access that information were also lost.

There’s no question that management is taking this seriously.  Just look at some of the actions they have taken since the announcement was made:

  • A new dedicated phone line and website for those affected by the data breach
  • Creation of a micro-site where Starwood customers can find more information about the breach and the actions they can take
  • Covering the full cost for a year of web monitoring services for those affected 

But actions alone just aren’t enough.  They missed the mark on message.  Marriott made the same mistake many companies in crisis make: they treated this like a crisis of facts, rather than a crisis of feelings. They list in clinical detail what they know, what they don't know, who is responsible (read:  it’s not Marriott it’s Starwood) and what they're doing. What they aren’t addressing is what they did wrong really.  They aren’t addressing consumers emotions. And emotions are running high.  There’s fear.  There’s broken trust.  There’s skepticism.  And until Marriott deals with that, they won’t win back customer and investor trust. 

Here’s a look at what they could have done to begin to rebuild trust.

Marriott’s actual response Instead they should have
They distanced themselves from the issue by using third person and focus on Starwood: “Marriott has taken measures to investigate and address a data security incident involving the Starwood guest reservation database.” “The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.” They should validate our concerns and acknowledge their shortfall: “When you use our website, your data should be secure. But on November 19, we discovered Starwood guest reservation database had been breaching by attacks going back to 2014. You trusted us with your information, and we let you down.”
They buried the details that mattered: “The information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).” “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.” They should cite shared goals: “We know your first priority is to know how this attack may have affected you. [XYZ] data was taken—including encrypted credit card statements. We don’t yet know how the attack happened and whether the encryption keys were taken, as well. We’ve launched a full investigation to find out, but in the meantime we’re doing everything we can to make this right...”
They did describe steps they took but stopped short of reassuring us: “We have established a dedicated website and call center to answer questions you may have about this incident.” “Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year.” (Describes additional actions) They should use the actions they took to reassure us: “We’ve established a dedicated website and call center so you can get answers to any and all questions you have about the incident.” “We’re paying for any member who wants to enroll in the cyber security service WebWatcher to help keep their information safe.
  “And we’re going to be completely transparent about the results of our investigation so you know everything we do about what happened and how we’re going to keep it from happening again.”
They restated their goal: “Today, Marriott is reaffirming our commitment to our guests around the world.” They should let us know they get the severity and tell us what’s next: The fact that this happened is unacceptable. And we’re ready to do whatever we can to make sure it doesn’t happen again. We’ll continue to keep you informed about what happened and what it means for you as we learn more.

The message that a company in crisis convey in the hours following the initial reveal are critical to how we perceive the company.  When they get it right, we feel like the company has it under control.  That the impact to share price will be short lived.  And we will forget about it with the next news cycle.  When they get it wrong, we dig deeper and get more skeptical.  We lose trust.  And the impact on the stock price can be long lived. 

Lee Carter is president of maslansky + partners and oversees a diverse range of communication and language strategy work for Fortune 100 and 500 companies, trade associations, and non-profits in the U.S. and globally. A communication research veteran, Lee has conducted and analyzed more than one thousand instant response dial sessions, traditional focus groups and client strategy sessions. Lee has also written and overseen hundreds of language surveys and polls in more than 15 countries. She has used maslansky’s Dynamic Response took which uses 20 years of crisis response data and behavioral science to evaluate Marriott’s message.