Journal of Service Research, Ahead of Print.
Evidence shows that, in the aftermath of cyberattacks, organizations usually accept responsibility for having failed to protect stakeholders’ data more effectively. While this strategy is reasonable in many circumstances, research suggests that it would be unsuitable in situations where the data breach is caused exclusively by criminal actors, what scholars refer to as a “victim crisis.” We argue that, in this type of situations, organizations can apologize while claiming victimhood. We present a model of moderated mediation explaining the persuasiveness of this strategy as a response to cyberattacks. In five experiments, we show that an apology claiming victimhood outperforms an apology accepting or rejecting responsibility. However, claiming victimhood is effective only when evidence of harm is provided and when the organization cannot be construed as being partly responsible for the attack. Furthermore, claiming victimhood is more effective if the focal organization is perceived as virtuous and the cybercriminal as very competent. The study contributes to the literature on service failure and recovery by offering the first account of how claims of victimhood can be deployed effectively. Furthermore, the study raises important managerial implications by proposing a novel communication strategy that can be deployed in the aftermath of cyberattacks.