I stayed at a Marriott hotel near Boston last April, so I was very concerned when I heard about the Starwood breach. As a result, I’ve conducted a bit of research on the subject.
Marriott purchased Starwood Hotel & Resorts, in part, because of Starwood’s popular loyalty program. Unfortunately, Marriott also purchased Starwood’s cyber issues. A vulnerability in Starwood’s hotel reservation system had been allowing unauthorized access to it since 2014, a year before the acquisition between the two corporations was even discussed.
Although original estimates indicated more than 500 million guests were affected, recent estimates by Starwood top out at 383 million. Some of which may be duplicates. Phew! That makes me feel SO much better. You too?
Here are the most recent figures released by Starwood (on January 4, 2019):
- 8.6 million encrypted payment card numbers were compromised
- 5.25 million UNencrypted passport numbers were compromised
- 20.3 million encrypted passport numbers were compromised
- 327 million guests had some combination of the following types of information compromised:
- Mailing address
- Date of birth
- Arrival and departure info
- Reservation date
- Communication preferences
- Encrypted payment card numbers
Although you may be breathing easier because stolen credit card info was encrypted, you might want to reconsider. Why? Well, it seems the encryption key might have been stolen right along with the payment card information. The bad guys had access to the system for 4 years. I wonder what other info they stole…
From what I’ve learned, hotels are notoriously vulnerable to security breaches because they often don’t use chip readers and, instead, either enter credit card info manually into their systems or swipe credit cards when guests check in. One cybersecurity expert reported that both the Hyatt and Trump hotel chains were hacked in 2016.
What bothers me is that hotels keep your credit card information after you leave–even when you ask them to destroy it and they swear they will. That happened to me last spring, when I traveled to the Kansas City on business. My client paid for my hotel stay and, when I checked in, the hotel required me to present my personal credit card for “incidentals.” I asked the desk clerk how much I would be charged and whether the hotel would keep my payment information afterward. I was told that a $25 “hold” would be placed on my card at check-in and, if I did not charge anything during my stay, the hotel would remove the hold and destroy my card info.
Well, that’s not what happened. Several months later, after a glitch in communication between my client’s booking agent and the hotel, the hotel charged $152.25 to MY credit card rather than the client’s credit card. (The hotel had not destroyed the info on either card.)
This charge was made although I had not paid the hotel anything (the “hold” was removed) and without my authorization. I called my credit card company, reported a fraudulent charge, and had the card cancelled and reissued.
This was the 2nd time in less than a year I used my credit card legitimately and, through illicit means, an unauthorized third party acquired my info and used it for their own benefit. As a result, the Starwood breach–and the cope of it–does not surprise me. I’m just glad I stopped using debit cards years ago.
Feel free to share your own stories. I know you have them…