“It was Coach handbags asking if I wanted the $750 worth of handbags shipped to a different address,” she says. Calls to her credit card revealed another bogus charge for $7,500 at Home Depot.
“Of course, I wasn’t liable for anything,” she says. “But it was still scary and frustrating.”
Fox believes that her hotel may have compromised her credit card information. At least one government agency shares her concerns. Last summer, the Federal Trade Commission sued Wyndham Hotels, alleging that the company had failed to protect its customers’ personal information. As a result, the FTC claims, hundreds of thousands of credit card numbers fell into the wrong hands, leading to millions of dollars in fraud-related losses. Wyndham denies any wrongdoing and is fighting the suit.
“Data security is becoming an issue of significant importance in the hospitality industry,” says Mark Schreiber, an attorney specializing in hospitality law at the Boston firm of Edwards Wildman Palmer. He cites an increase in hacks and malware attacks, which frequently target hotel systems because they’re a rich source of personal information.
Identity theft expert John Sileo says that there’s another reason hotel guests are vulnerable to having their personal information stolen: They’re easily distracted. “We just don’t pay attention to the details when we’re running through airports and staying in unfamiliar places,” he says. “It’s easier to miss something and to be careless.”
Data breaches can happen anywhere within a hotel. Ann Azevedo, an engineer who lives in Hartford, Conn., checked out of a chain hotel in Seattle not long ago. A few days later, someone used her card to buy gas on the other side of the country, she says. The likely source of the breach was an ATM machine at the hotel. “I canceled the credit card,” she says. “And I’ll never use a hotel ATM again.”
In the past, hotels and travelers assumed that rogue hotel or restaurant employees were to blame for the theft of personal information, according to data privacy expert Edward Hasbrouck. But that’s no longer true. Today, hackers aren’t just targeting data on hotel systems but also the information passed along to reservations systems. “Credit card theft is much easier — and more likely — through large-scale hacking,” he says.
In the FTC’s lawsuit, for example, the agency alleges that Wyndham assured customers that it recognized “the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests.” Yet it failed to take security measures such as requiring employees to generate complex user IDs and passwords and to properly install firewalls and network segmentation between the hotels and the corporate network, according to the agency.