What You Don’t Realize About the Marriott Data Hack: Good Marketing and Bad Breaches Go Hand in Hand

Good marketing is something that all of us welcome: useful information that connects us with something we actually need or want, and even better information that comes to us right when we want it, to help us make a decision.

When someone says they don’t like marketing what they mean is they don’t like bad marketing. They don’t like receiving information that isn’t relevant to them, that doesn’t speak to them in their language, that isn’t what they’re interested in.

The world is full of bad marketing. There’s very little good marketing. That’s because for all of the lip service that companies pay to big data, most companies accumulate lots of data but don’t really know what to do with it.

Frequent flyer programs are perhaps some of the world’s richest sources of data, and even most of them are using really rudimentally tools and marketing badly. That’s ironic because programs largely began as a data play that allowed airlines to use targeted permission-based marketing to contact their best customers and measure results.

  • Marketing used to be buying magazine ads. There’s be plenty of time spent perfecting the ad, based on a lot of gut instinct and experience. It had a long lead time (months) and you never really knew how the ad performed.

  • Frequent flyer programs let you communicate directly with your customers. You knew who they were, where they flew, and how often. When you sent out an offer to your database of customers, you knew quickly how that offer performed.

Most personal information isn’t very valuable. At least, personal information alone doesn’t matter. Names, addresses and phone numbers were published in phone books and eventually digitized. Getting a copy of the phone book wasn’t very helpful to businesses.

Add in email addresses and things change a little bit. It’s cheaper to email someone than to call them or send something by mail. But a single email address still doesn’t have very much value. Even one million email addresses aren’t very valuable, because response rates to spam are so low.

Knowing that a person flies for business every week and that their most frequent destinations are New York, Chicago, and Los Angeles is valuable. Knowing which hotel they stay at because of its proximity to another location and that they usually drive when they’re there is valuable. Knowing when they break their pattern is valuable, too.

Mark Ross-Smith, the former head of oneworld frequent flyer program Malaysia Airlines Enrich, makes an important point about this — what’s valuable is your behavioral data and you don’t even own that.

[T]he real cash is in behavioural data. That is – knowing WHY a consumer clicks on a link or transacts with a brand. What was the intent, or the primary driving factor behind the engagement?

Consumers do not own their behavioural insights. These insights are derived from data science teams at the organisations who have invested time creating machine learning models to identify traits, trends and use success metrics to better predict future intent behaviour on similar consumers.

Now armed with the behavioural data, companies can hyper-personalised the content you see, the marketing emails you receive, and the prices displayed. In this sense, companies can provide the right incentive to the right person at the right time.

A company may know some demographics about me. I’m a mid-40s male, so they send me marketing pitches about golf even though I don’t play golf. My age and gender are attributes, not behaviors.

Let’s stay out of the realm of travel for the moment. One of the most valuable political fundraising lists in the history of the Republican Party was a donor list from a failed Senate candidate who never made it past a primary election again.

  • Rick Lazio was the Republican candidate who lost to Hillary Clinton in New York in her first campaign.
  • Donors to that campaign weren’t predominantly people who just give to the New York Republican. They weren’t giving to the important local incumbent for business reasons.
  • Instead they were ideological donors, people from all over the country willing to write checks because they disliked Hillary Clinton.
  • Knowing the names and addresses of those people was valuable. Being on that list told marketeters something about motivations, and knowing that meant it was possible to craft targeted, effective campaigns.

The concern about data leaks isn’t that they might make your social security number available. That can have some value to identity thieves, and is probably available to them already. Ross-Smith suggests that databases containing behavioral insights create a whole different set of challenges. They may know you are motivated by animus to Hillary Clinton, or to Donald Trump. They may know you volunteer for environmental causes. They may know what you drink on a flight, and how you like to be referred to.

Behavioral models take information about you and turn that into predictive tools which are the proprietary technology of a company — and since it’s their intellectual property being stolen, companies aren’t even telling you that it’s been taken.

Ross-Smith argues that the seriousness of travel data breaches is greater than commonly realized (Marriott’s is by far the biggest) and suggests that “to understand the actual extent of the data breaches has on consumers, we need to know the full extent of every piece of data which was compromised.”

Are you someone that will usually extend a business trip through the weekend if the hotel rate drops to $150? What if breakfast is included? Will you buy up to a higher room category – a better view – for an extra $20 but not an extra $50? Is your spouse the real decision-maker?

I don’t think the level of disclosure Ross-Smith is talking about is likely to happen, right Arne?

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »



  1. I missed the point. Why does behavioral insight from “good marketing” make a data breach worse for me? While behavioral insights are valuable to the company that compiles them, I don’t care if some company other than the one I did business with stole the data and knows that I might extend a trip under certain circumstances. In fact, that might work to my benefit if another company (assuming a company not a state stole the data as may have been the case with Marriott) uses the data for its own “good marketing” and offers a product or service I might use.

  2. @john what’s being taken isn’t just your personally identifiable information, but predictive information about your motivations. in other words there’s more data there than you realize when it involves good marketing.

  3. Given that the prime suspect of the Marriott breach is Chinese intelligence, I’m guessing marketing information was not their goal, but rather travel patterns of government officials and important members of industry. I’d guess the goal is not targeted advertising, but rather extremely valuable intelligence that can reveal who is involved in what program and where (from travel history) and then using this intelligence to further target those individuals for future intelligence-collection activities. In particular, it helps them to know whose hotel room, conference room, etc. to bug when they visit China (or perhaps even on foreign soil depending on the value of the target.)

    Of course, this isn’t the first time China has been involved in such a hack (Hi, OPM!) and it won’t be the last.

  4. Incidentally, this also makes me wonder how much Anbang even wanted to buy Starwood or if the whole Anbang bid was actually just part of the Chinese intelligence attack on Starwood. Who knows what valuable information they got access to during the acquisition process. And then, conveniently, once most of that process was complete, the Chinese government blocked the acquisition.

  5. Although I lose points, when targeted bonuses were more competitive, occasionally I used my SPG card at hilton (when they were with Citi) and/or at IHG, hoping it would trigger a direct mail offer since hilton and ihg would have my pymt method and address. At SPG , I would try my Saphire for small purchases. No dice, and now with SPG and marriot combined, little incentive for M to leverage this knowledge with a targeted offer.

  6. Gary, nice analysis about the potential impact of data breaches. I do concur with vbscript2; they don’t just want the biographic data on Marriott’s customers they also want insights into all the various data points. Sadly in the US it seems to have been largely forgotten how ruthlessly cunning, effective, and determined the Chinese government is to worm its way into everything. The Huawei arrest brought it to the forefront for a few days, and then due to the unnecessary gummint shutdown it largely became forgotten.

Leave a Reply

Your email address will not be published. Required fields are marked *