Scroll Top

The Hilton Hotels credit card scandal: how to handle a data breach 

Data breaches are a serious issue that many organizations have had to address. Most manage to prevent them, some end up in both a legal and reputational ‘hot water’.

Like it or not, consumers have come to expect 100% protection of their privacy regardless of whether you have promised it. The reality of our modern world is that as the benefits of technology increase, so do the drawbacks. 

During two separate instances, the reputation of Hilton Hotels was put in severe danger due to a breach in security. Back in 2014 and 2015, their computer system was hacked and 363 000 customer credit card accounts were compromised (BBC, 2017). 

The company didn’t address the situation in a timely manner which left customers in the dark about their banking security. From a communications standpoint, silence sends a message of confusion which breaks the trust of customers and stakeholders.   

One of the number one rules of crisis management is “speak first and speak often.” When organizations have crisis plans in place to speak ASAP, rumours are stopped, nerves are calmed, and credibility is maintained. 

So, what should you do when you’re exposed, and your customer data/privacy has been breached?

  1. What’s your current relationship (pre-breach) and perceived reputation? You want to make sure you’re meeting perceptions and expectations – if you already have low trust, you’re going to have to develop messaging that acknowledges it. “We’ve been working hard to improve our systems, and we know that it hasn’t been done fast enough.”


  1. Map your audiences – Determine who has been directly affected by the breach (hint: they’re your primary). Who do you need to be in touch with and how soon? (hint: ASAP!) 


  1. Map your messages (don’t lie about anything!) – for every audience, you will create a message map including timings (This is where you include what your apology looks and sounds like). Frequent messaging should be delivered in order to provide consistent updates on the situation. These updates should also be personalized- use the individual’s name and refer to the specifics of their problem.


  1. Include legal. Make sure you’re in the confines of the law with what you plan to say.


  1. Develop products for messages; test your messaging.
  • what platform works best to reach your audience?
  • for example, Facebook can be used to reach older audiences while Instagram and Twitter are used primarily by younger demographics. 


  1. Track and evaluate messaging, adjust course if required.


Keep in mind that when speaking with customers, you have to make sure that a calm, understanding tone is used. This can be done by reassuring them that the situation is under control and they will be compensated for damages (if not, prepare to be berated by the media). Also, avoid condescending language that attempts to take the blame off of your organization such as, “This is not our fault” or “We are not responsible for your privacy.”

We can’t stress enough how important language and messaging are in crisis communications. Your statements and other messages should always be reviewed by various members of the team in order to pinpoint any errors in judgement and information. 

Finding the root of the problem and communicating promptly will increase your organization’s chances of recovering from a scandal such as a data breach.


Written by Katie Robertson & Jessie Cheveldayoff

Katie Robertson is a Crisis Communications Expert and the Founder/CEO of Grapevine Communications.

Jessie Cheveldayoff is currently a Bachelor of Communications Student at MacEwan University with a major in Professional Communications.


Hilton Hotels fined for credit card data breaches. (2017, November 14). Retrieved from

Hosted on Panda Cloud