Ghosts in the machine and the Marriott hack

Last week brought another large-scale security hack. This time it was the hotelier, Marriott that was the subject of unwanted attention. More precisely, it was their recent acquisition, the Starwood group, which was targeted. The business operates a number of well-known brands, including W Hotels, Sheraton, Westin and Aloft. The size of the operation goes some way to rationalise the scale of the breach, which is reported to have impacted as many as 500 million Starwood customers. To put the numbers into context, that’s second only to the 2013 attack on Yahoo, which affected 3 billion users. A distant second place, I recognise, but even so, these are astronomical numbers.

I don’t bring this up in terms of the crisis response; in fact, the Marriott actions to date have been laudable, including the neat idea of giving those who have been affected, the opportunity to use a web monitoring tool for up to a year to gauge whether there is unauthorised use of their personal details.

No, from a crisis communications perspective, the real interest lies in what was happening ‘upstream’. What I mean is that the Starwood hack is four year old! Its defences were breached in 2014, which is two years prior to the Marriott acquisition. The Marriott systems, apparently, are not affected. My point being – as is invariably the case with crisis communications – is that this is a crisis preparedness issue.

In short, mergers and acquisitions have always had their challenges for the reputation specialist, whether they were cultural differences, the inevitable job losses, or market volatility. The Marriott case, however, is illustrative of the inherent sensitivities of corporate acquirement in the digital age; principally the fragility (or not) of the systems, security and associated employee behaviours that’s characteristic of the newly purchased asset. To be clear, I don’t point the finger at Starwood, but make the point to best demonstrate the changing nature of reputational risk, and more importantly, to highlight a need to involve communicators sooner rather than later if an intrinsic threat – however feint - exists. The process of due diligence is tightly marshalled, typically, due to the sensitivities of the circumstances, but it’s vital that a link is established between those who delve ‘under-the-bonnet’ in the first place, and those of us who are tasked with managing the brand and any innate frailties thereafter.

This piece first appeared on the Mumbrella website: https://mumbrella.com.au/dear-brands-i-think-we-need-to-talk-about-data-557759