Originally Posted by kyanar

That they haven't even sent out an impersonal notification of the potential for our information to have leaked when they've had more than enough time to spin up a reputation management firm and get a press release in the hands of the New York Times, and get FlyerTalk to publish a complete load of tripe on the front page while they're at it, is the problem.

Legally, they must notify customers of the breach. They've acknowledged that they know what info the breach contains but they may not necessarily know if yours is in it. That's fine, simple answer is an email: "We have been able to establish that the data removed contains Full Name, Address, Phone Number, Email, Stay Details, Loyalty Program details including SPG Number and level in the program, and in cases where the hotel has a requirement to store Passport details these may have been included. At this stage, we are unable to say whether your details have been included. We recommend you keep an eye out for any signs our information has been removed and misused, and contact us using the details on the dedicated page setup at blahblahblah. Rest assured we are continuing to investigate as the highest priority, and we will notify you immediately if we can determine that your information was included in the breach with next steps".

Seriously, not hard. Tell people what happened, invite them to contact the dedicated team with any concerns, and advise that you'll be informed ASAP if they determine your details are definitely hacked.