Skip to main content

How Marriott Missed the Mark Communicating to Guests About Its Data Breach


Last December, Marriott made waves by announcing that up to 500 million customers had lost their data in what would be one of the largest cyber-security breaches in history. Recently, they gave an update that aimed to clarify what had happened. While both statements were heavy on facts and details, they do little to address their customers’ feelings.

Marriott’s initial response to the breach reflected a mistake that many companies in crisis make. Marriott’s management listed in clinical detail all that they knew and didn’t know, and announced a dedicated phone line and website for those affected by the breach, a micro-site where Starwood customers can find information about the incident, and a year’s worth of web-monitoring services.

In other words, they treated the breach like a crisis of facts, rather than a crisis of feelings. What they didn’t address was what they did wrong.  They didn’t take into account their consumers’ emotions. In a crisis like this, there’s fear and broken trust and skepticism. 

In Marriott’s latest response, they provided an update on the number of accounts affected and the specific types of data that were lost. While this information is useful, it’s not enough. What could have been a second chance to speak directly to customers’ concerns ended up as more of the same.

Until Marriott properly deals with those emotions, it won’t win back customer and investor trust. 

Better Responses

Here’s a look at what Marriott’s management did, as well as what could have been done:

Marriott’s first response:

Instead they should have:

They distanced themselves from the issue by using third person and focus on Starwood: “Marriott has taken measures to investigate and address a data security incident involving the Starwood guest reservation database.” “The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”

They should validate our concerns and acknowledge their shortfall: “When you use our website, your data should be secure. But on November 19, we discovered Starwood guest reservation database had been breaching by attacks going back to 2014. You trusted us with your information, and we let you down.”

They buried the details that mattered: “The information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).” “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”

They should cite shared goals: “We know your first priority is to know how this attack may have affected you. [XYZ] data was taken—including encrypted credit card statements. We don’t yet know how the attack happened and whether the encryption keys were taken, as well. We’ve launched a full investigation to find out, but in the meantime we’re doing everything we can to make this right...”

They did describe steps they took but stopped short of reassuring us: “We have established a dedicated website and call center to answer questions you may have about this incident.” “Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year.” (Describes additional actions)

They should use the actions they took to reassure us: “We’ve established a dedicated website and call center so you can get answers to any and all questions you have about the incident.”

“We’re paying for any member who wants to enroll in the cyber security service WebWatcher to help keep their information safe.”

“And we’re going to be completely transparent about the results of our investigation so you know everything we do about what happened and how we’re going to keep it from happening again.”

They restated their goal: “Today, Marriott is reaffirming our commitment to our guests around the world.”


They should let us know they get the severity and tell us what’s next: The fact that this happened is unacceptable. And we’re ready to do whatever we can to make sure it doesn’t happen again. We’ll continue to keep you informed about what happened and what it means for you as we learn more.

Marriott’s second response:

Instead they should have:

They showed that they are working on it: “We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened.


They should have showed that they know what their customers care about: “We know that in a situation like this, you have a right to know whether your data has been affected. We’ll continue to provide our customers and partners with updates based on our ongoing work, to make sure you get all of the information you need as soon as possible.”

They tried to make us feel better with facts: “Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated.  Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident.”


Don’t celebrate a reduction in what is still a real problem: Going from 500 million records lost to 383 million records lost doesn’t feel different enough to calm any concerns—and it still makes it one of the largest data breaches in history.


In crisis, the message that a company conveys in the hours following the initial reveal is critical to how consumers perceive the company and the situation. Follow up statements offer the chance to either change course or reinforce the perceptions that have already taken hold. When a company gets it right, the consumer feels like the company has the situation under control. The impact to share price then will be short-lived and the crisis will be forgotten in the next news cycle. When a company continues to get the message wrong, the customer only grows more skeptical. Trust slips further away.  And the impact on the stock price can be long lived.


  • About the author

    Michael Maslansky is CEO of maslanksy + partners. He advises Fortune 500 corporations, industry associations, major litigation practices and non-profit organizations on language strategy and messaging issues. Clients that have sought Michael’s counsel include FedEx, Morgan Stanley, Procter & Gamble, UBS and The Walt Disney Company.

This ad will auto-close in 10 seconds