Crisis Management

Ghosts in the machine and the Marriott hack

Last week brought another large-scale security hack. This time it was the hotelier, Marriott that was the subject of unwanted attention. More precisely, it was their recent acquisition, the Starwood group, which was targeted. The business operates a number of well-known brands, including W Hotels, Sheraton, Westin and Aloft. The size of the operation goes some way to rationalise the scale of the breach, which is reported to have impacted as many as 500 million Starwood customers. To put the numbers into context, that’s second only to the 2013 attack on Yahoo, which affected 3 billion users. A distant second place, I recognise, but even so, these are astronomical numbers.

I don’t bring this up in terms of the crisis response; in fact, the Marriott actions to date have been laudable, including the neat idea of giving those who have been affected, the opportunity to use a web monitoring tool for up to a year to gauge whether there is unauthorised use of their personal details.

No, from a crisis communications perspective, the real interest lies in what was happening ‘upstream’. What I mean is that the Starwood hack is four year old! Its defences were breached in 2014, which is two years prior to the Marriott acquisition. The Marriott systems, apparently, are not affected. My point being – as is invariably the case with crisis communications – is that this is a crisis preparedness issue.

In short, mergers and acquisitions have always had their challenges for the reputation specialist, whether they were cultural differences, the inevitable job losses, or market volatility. The Marriott case, however, is illustrative of the inherent sensitivities of corporate acquirement in the digital age; principally the fragility (or not) of the systems, security and associated employee behaviours that’s characteristic of the newly purchased asset. To be clear, I don’t point the finger at Starwood, but make the point to best demonstrate the changing nature of reputational risk, and more importantly, to highlight a need to involve communicators sooner rather than later if an intrinsic threat – however feint - exists. The process of due diligence is tightly marshalled, typically, due to the sensitivities of the circumstances, but it’s vital that a link is established between those who delve ‘under-the-bonnet’ in the first place, and those of us who are tasked with managing the brand and any innate frailties thereafter.

This piece first appeared on the Mumbrella website:


Can hacking be good for us?

Dropbox – the cloud storage supplier – has been hacked. To be more precise, it’s just been reported that up to 68 million usernames and passwords were stolen back in 2012. Now, that’s a statement which probably bemuses the reader on two points; firstly, the scale of the breach, and secondly, the speed of the news – that’s 4 years ago. In fairness, the company made it known that they had been compromised in 2012, but the size of the incident had apparently been underestimated.

It’s said that Dropbox was completely unaware of the full extent of the attack, which leaves me in a flux – exasperated by their state of oblivion, while being gently encouraged by the fact that nothing has changed. As a Dropbox user (Darn, have I compromised myself?), I read the story with an air of resignation in light of the increasing regularity of such breaches – not just at Dropbox, I hasten to add. However, there lies the nub of the issue – my lethargic response, which is no doubt shared by others, is indicative of the consumer mindset that these attacks are a corporate problem and subsequently need corporate solutions. Not so, as corporate stakeholders we are all part of the problem and the solution. Specifically, the public’s attitude towards passwords is casual at best, with our encryption bordering on an ‘open door’ policy – Pass 1234 anyone?

Hack fatigue would appear to be setting in among the public, leaving them perilously indifferent to the issue. So what to do? In entering the spirit of Sydney’s Festival of Dangerous Ideas, maybe we need the castle defences to be brought down occasionally to best appreciate our enemy's strengths, and give priority to investing in bigger and better walls. Only when we have a full grasp of the impact, will we recognise the threat.

Trolley collectors of the world unite!

It’s a classic case of ‘David versus Goliath’ – in one corner, Coles – one of Australia’s biggest supermarket chains; in the other, the often overlooked men and women who collect their trolleys. You can read more here.

In summary, the giant was slain (okay, I’m going too far with the metaphor); in fact, the supermarket was penalised by the Fair Work Ombudsman (FWO) for the “gross underpayment” of these workers. I chose that last word – ‘workers’ - carefully, as it goes to the heart of the matter. Essentially, the Coles defence rested on the idea that the trolley collectors were contractors and not direct employees. So, they could – in the words of the FWO’s Natalie James – “wipe [their] hands of the problem.” Not so; Ms James was unequivocal in her agency’s appetite to address big business’ exploitation of workers. Her words – “we will look up to the business at the top” – will leave corporate boardrooms with no doubt where the responsibility for such elaborate supply chains lie.

The episode is also a notable case of issue mismanagement; to clarify, issues are those situations which if left unattended have the potential to significantly affect a business – I would suggest that workers underpaid to the tune of six-figure sums is significant. In fairness, it has to be said that Coles has back-paid the workers in question and established a $500,000 fund for others who could also have been affected. 

However, the developments clearly illustrate the seemingly unrelated nature of issues – in that they are not related to us, so we don’t need to worry about them. This is an important point as it should challenge the commonly held mindset among senior teams that reputation management is exclusively about what we as a business do – our people, our products, our prices. Yet, the people who also carry out duties under our name as third parties are rashly overlooked. It’s a point that was writ large following the BP response to the blowout on the Transocean owned Deepwater Horizon and should have been enshrined across the collective executive, but it would appear that memories are short and to that end, reminders will continue to be painful.