Case Study: Hotel Cybersecurity

What will you do when thehack hits your system?

The hackers are coming.
How will you respond?

Earlier this week the payment system of upscale hotel operator HEI was hacked, compromising credit card information of an “undisclosed number” of people. HEI, whose portfolio consists of Hyatt, Sheraton, Marriott, and Westin, isn’t the first to suffer a data breach. It joins the ranks of UCLA, Target, Home Depot, Ashley Madison, Sony, Neiman Marcus, and many others.

Instead of dwelling on the danger this poses to companies and consumers, let’s focus on how HEI handled the situation.

Similar to how Whole Foods handles recalls, HEI responded quickly by popping up a dedicated area of their website to answer consumers’ questions and reassure them.

The main page is brief and easy to read, with a quick intro and a table of contents telling where to find more information. Let’s break down the intro. Each sentence has a distinct purpose.

“Unfortunately, like many other organizations, we recently became aware that several of our properties may have been the victim of a security incident that could have affected the payment card information of certain individuals who used payment cards at point-of-sale terminals, such as food and beverage outlets, at some of our properties.”

This (really long) sentence accomplishes several things: Shows remorse; puts things in perspective by reminding you that hacking is now a common occurrence; explains what happened using conditional words like “may” and “could” to limit liability and fear.

“We take very seriously our responsibility to keep our customers’ information secure, and have mounted a thorough response to investigate and resolve this incident, bolster our data security, and support our customers.”

This affirms that HEI doesn’t take lightly a threat to consumers’ information and what they’re doing to fix it.

“We are pleased to report that the incident has now been contained and individuals can safely use payment cards at all of our properties.”

Starting off with “We are pleased” is a great way to signal the problem is over and you’re “safe” to return to normal activity.

“We are sorry for any concern or frustration that this incident may cause.”

Shows that HEI cares. Notice they again say “may” because they don’t want to suggest that all of their customers were affected or frustrated.

“Based on the findings of our investigation, we are providing the following information and resources for our customers:

  • A detailed Notice Letter that explains what happened, describes the actions we’ve taken, and provides information and resources to anyone who may have been affected.
  • A Frequently Asked Questions document, delivering additional information that we anticipate that our customers may want or need.
  • Access to a Toll-Free Call Center, with operators standing by to address customer questions and concerns about this incident. You can reach this call center by dialing 888-849-1113 between 9:00 a.m. and 9:00 p.m. Eastern time, Monday through Friday.”

This bundle of bullet points almost had me clapping. They’ve got all basic elements of a crisis packet.

The Notice Letter gives you more a detailed statement that spells out what occurred, what HEI’s doing, what you can do, and a number you can call if you’ve still got concerns.

The FAQ hopefully deters people from flooding phone banks with questions over and over.

The List of Affected Properties is probably the most-read document. It answers the immediate question, “Hacked? Does this affect me?!?!” HEI put this list in two places because they wanted to be certain nobody overlooked it (as panicked people tend to do.)

Finally, they provide a number for customers to call. This demonstrates they’re there to help.

“We take this matter and the security of personal information very seriously and we will continue to review and enhance our security measures to further secure our systems. Again, please accept our sincere regret for any concern or frustration that this incident may cause.”

In closing, they remind you that they take this seriously and regret possibly causing any “concern or frustration.” These two elements are engineered to be calming and reassuring.

“Because Reputation Is Your Most Valuable Asset”

Gillott Communications is a Strategic PR firm. We’re Fixers. Crisis & Reputation Management. Litigation. Media Relations. Crisis Prep. More than half a century of expertise working with clients to resolve issues both in and outside the media’s glare — in their professional and personal lives.

You can reach Roger Gillott and Eden Gillott Bowe directly at 310-396-8696.

If you don’t already subscribe, please sign up for our blog, Insights on High-Stakes PR.

For a deeper glimpse into our world, see our book on Amazon, “A Lawyer’s Guide to Crisis PR: Protecting Your Clients In & From the Media.”

Photo courtesy of


2 thoughts on “Case Study: Hotel Cybersecurity

  1. Hi Roger,

    My son is a cyber security attorney in Washington with Alston and Bird. The little bit hew tells me is really horrifying..

    Hope you’re well.


What are your thoughts?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s