The handling of one of the largest data breaches ever reported has been troublesome for Marriott. They first announced the data breach in November. Marriott claimed they were doing everything they could to notify customers in a timely manner, yet they’d already known about the data breach for two months before they went public.
When they did go public, communication was poor. Very poor. It would seem to be crisis management 101 to be contacting affected customers in a timely manner. And yet, a week after the announcement, 95% of people responding to my informal Twitter poll stated they still had not received any form of direct communication from Marriott.
NEW POLL: If you stayed at a Starwood hotel over the past 4 years, has Marriott contacted you yet about the data breach?
— Edward Pizzarello (@pizzainmotion) December 4, 2018
In the weeks that followed, I continued to hear from members who hadn’t heard from Marriott.
Check To See If Your Personal Info Was Stolen
One Mile at a Time reported that you can now check to see if your personal information was stolen as part of the Marriott breach. The process is not without questions and questionable decision-making. I walked through it this morning before writing this post.
I was asked for a handful of personal details, including my SPG number (which one, I‘ve had 3 in the midst of the merger pain?) the last 6 digits of my passport and some address information. Once I submitted all of this information and confirmed my e-mail address, I was told that they’d get back to me soon. Very comforting.
This Isn’t Effective Communication
It’s still unclear how the stolen data was being stored. We’re passport records associated with SPG numbers? How about names? Or, were the passport numbers just in a file? The CEO of Marriott suggests that your passport number is saved in your online record, even though nobody I’ve ever met has had to key in their passport data when making a reservation. Any way I crunch the data here, I’m confused.
If the passport data was associated with our identities, then Marriott should have been able to provide instant notification to customers without needing a website to do so. At a bare minimum, it wouldn’t have been hard to write a script that verifies my passport is connected to the correct personal information I entered and provide me further instructions on what to do next. If the passport data wasn’t connected to our identities, how does providing my address and SPG number help them clarify that I’m the one who should be informed about my personal data breach?
Either Marriott knows the customers whose data was stolen or they don’t. Either way, the process here is either lazy or misinformed on how to properly communicate with affected customers.
I’ll keep folks updated when I hear back from my request.
Did you enjoy this post? Please share it! There’s plenty of ways to do that below.
And, I hope you’ll check out my podcast, Miles To Go. We cover the latest travel news, tips and tricks every week so you can save money while you travel better. From Disney to Dubai, San Francisco to Sydney, American Airlines to WestJet, we’ve got you covered!