When you check in, your privacy may check out

Photo of author

By Christopher Elliott

Several days after Traci Fox visited a small independent resort in the Catskill Mountains, she received an unexpected call from a shoe store. Where did she want it to ship the $400 worth of pricey sneakers that she’d ordered?

Just one problem: She hadn’t purchased any footwear. As Fox, a college professor from Philadelphia, rummaged through her pocketbook to find her credit card, the phone rang again.

“It was Coach handbags asking if I wanted the $750 worth of handbags shipped to a different address,” she says. Calls to her credit card revealed another bogus charge for $7,500 at Home Depot.

“Of course, I wasn’t liable for anything,” she says. “But it was still scary and frustrating.”

Rising concerns over privacy data in the hospitality industry

Fox believes her hotel may have compromised her credit card information, and her concerns are shared by at least one government agency. Last summer, the Federal Trade Commission (FTC) sued Wyndham Hotels, alleging that the company had failed to protect its customers’ personal information. As a result, the FTC claims that hundreds of thousands of credit card numbers ended up in the wrong hands. This lead to millions of dollars in fraud-related losses. Wyndham denies any wrongdoing and is currently fighting the suit.

“Data security is becoming an issue of significant importance in the hospitality industry,” says Mark Schreiber. Mark is an attorney specializing in hospitality law at the Boston firm of Edwards Wildman Palmer. He cites an increase in hacks and malware attacks, which frequently target hotel systems because they’re a rich source of personal information.

Identity theft expert John Sileo says that there’s another reason hotel guests are vulnerable to having their personal information stolen. They’re easily distracted. “We just don’t pay attention to the details when we’re running through airports and staying in unfamiliar places,” he says. “It’s easier to miss something and to be careless.”

New threat vectors in hotel data breaches

Data breaches can happen anywhere within a hotel. Ann Azevedo, an engineer who lives in Hartford, Conn., checked out of a chain hotel in Seattle not long ago. A few days later, someone used her card to buy gas on the other side of the country, she says. The likely source of the breach was an ATM machine at the hotel. “I canceled the credit card,” she says. “And I’ll never use a hotel ATM again.”

In the past, hotels and travelers assumed that rogue hotel or restaurant employees were to blame for the theft of personal information. This is according to data privacy expert Edward Hasbrouck. But that’s no longer true. Today, hackers aren’t just targeting data on hotel systems but also the information passed along to reservations systems. “Credit card theft is much easier — and more likely — through large-scale hacking,” he says.

Sodexo North America is part of a global, Fortune 500 company with a presence in 80 countries. Sodexo is a leading provider of integrated food, facilities management and other services that enhance organizational performance, contribute to local communities and improve quality of life for millions of customers in corporate, education, healthcare, senior living, sports and leisure, government and other environments daily. Learn more at Sodexoinsights.com.

In the FTC’s lawsuit, for example, the agency alleges that Wyndham assured customers that it recognized “the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests.” Yet it failed to take security measures such as requiring employees to generate complex user IDs and passwords and to properly install firewalls and network segmentation between the hotels and the corporate network, according to the agency.

The dilemma of consumer helplessness

Hasbrouck knows about data theft firsthand. Data thieves swiped his partner’s credit card info after a recent hotel stay. She tracked the order down to an address. The credit card company let the matter drop after reversing the charge. The incident made Hasbrouck and his partner realize how powerless consumers are when it comes to preventing data theft and that there probably aren’t enough laws to protect travelers from such crimes.

It’s difficult to take preventive steps, say experts. Apart from paying with cash, there’s almost no way to tell whether a hotel will treat your personal information with care or whether it will leave a backdoor or firewall unguarded for hackers to steal your credit card information. Large hotel chains will post their data protection policies online, “but they won’t make much sense to the average consumer,” says Richard Alderman, who directs the Center for Consumer Law at the University of Houston Law Center.

“I think consumers should continue to deal with hotels as they have in the past, knowing that almost all hotels are as concerned with customers’ privacy as are the customers,” he adds.

The hidden risks of personal information exposure

The FTC case, which is being widely watched in the hotel industry and could set minimum standards for data protection, is unlikely to dramatically change the way most hotels handle your credit card information. Bob Schoshinski, an FTC assistant director for the privacy and identity protection division, says that the government simply wants Wyndham to do what its privacy policy states.

Beyond that, guests need to know what Fox and Azevedo already do: that the information they give up at the check-in counter can potentially be seen by many parties, including criminals. “I wouldn’t say that you should be concerned,” says Schoshinski. “But hotel guests should be aware of what data they’re giving. Read the privacy policy. Know what it says.”

The problem may run deeper than the theft of credit card numbers, however.

The personally identifiable information in your guest profile, such as your home address, your license plate number and your date of birth, which is attached to your reservation, can end up in the hands of a third party that offers little or no warranties about how it will protect your data. “These kinds of areas are more worrisome than some huge Visa bill,” says hotel consultant Marion Roger. “Once your identity has been cloned, you can easily spend years and hundreds of thousands in legal and other fees.” (Here’s how to fix your own consumer problem)

The need for privacy laws

Apart from having the hotel industry tighten security, the best way to address data theft may be through changes in consumer law. A good starting point might be to tell consumers what information is being collected from them and passed along to third parties, says Hasbrouck. (Related: Your customer data isn’t safe, but here’s how to protect it.)

Such privacy laws exist in Europe and Canada, but American business has resisted them. “Most travelers would be shocked to know how many other companies the hotel may have given [the information] to in the normal course of their business,” Hasbrouck says.

Do hotels do enough to protect your privacy?

View Results

Loading ... Loading ...
Photo of author

Christopher Elliott

Christopher Elliott is the founder of Elliott Advocacy, a 501(c)(3) nonprofit organization that empowers consumers to solve their problems and helps those who can't. He's the author of numerous books on consumer advocacy and writes three nationally syndicated columns. He also publishes the Elliott Report, a news site for consumers, and Elliott Confidential, a critically acclaimed newsletter about customer service. If you have a consumer problem you can't solve, contact him directly through his advocacy website. You can also follow him on X, Facebook, and LinkedIn, or sign up for his daily newsletter.

Related Posts