By Michael S. Rosenwald
Washington Post Staff Writer
Wednesday, December 28, 2005
Marriott International Inc.'s time-share division said yesterday that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company.
Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company's Orlando headquarters or whether they were simply lost.
An internal investigation produced no clear answer. The company notified the Secret Service over the past two weeks, and has also told credit card companies and other financial institutions about the loss of the tapes.
The company began sending letters to time-share owners and customers Saturday, and issued a press release about the loss yesterday. Company officials said they delayed making the matter public until they had researched what information was on the tapes and whom it affected, and determined the issue was sensitive enough to warrant a broad disclosure.
"At this point, we are taking all things into consideration," company spokesman Ed Kinney said. "The tapes may have been taken, but they could have been misplaced. We're still investigating the situation."
The Vacation Club has told time-share owners, customers and the division's employees to be on the alert for changes to their credit histories or accounts. So far no one has reported any misuse, Kinney said. Those affected have been offered free credit monitoring services.
"We regret this situation has occurred and realize this may cause concern for our associates and customers," said Stephen P. Weisz, president of Marriott Vacation Club International, a wholly owned subsidiary of the Bethesda hotel chain. More than 280,000 families use its time-shares worldwide.
The loss of Marriott's tapes is the latest in a series of high-profile security lapses involving data that can be used in identity theft schemes. In 2005, there were at least 134 data breaches affecting more than 57 million people, according to the Identity Theft Resource Center, a California nonprofit that helps people hurt by identity theft and lobbies on computer-privacy issues.
Last February, ChoicePoint Inc. disclosed that it had released thousands of reports containing names, addresses, Social Security numbers and financial information to people posing as officials in legitimate insurance, debt-collection and check-cashing businesses. In June, MasterCard International said that Card Systems Solutions, which processes credit card transactions, had been hacked and that forty million people had their credit card information exposed.
Even high-security defense companies have been victimized. In January, thieves stole computers from Science Applications International Corp. of San Diego that contained personal data on thousands of current and past employees, including former military and intelligence officials.
It is not clear how many cases of identity theft have been caused by the data breaches. There are about 10 million cases of identify theft a year, with total losses of $53 billion, said Robert Douglas, a Colorado privacy consultant and chief executive of PrivacyToday.com.
The costly identity theft schemes have caused state and federal lawmakers to fight for tighter protection of personal data and quick disclosures of breaches.
In 2003, California became the first state to pass a rigorous disclosure law requiring that organizations inform individuals if their personal information is compromised. More than 20 states have passed similar laws since then. Congress is considering more than two dozen bills on what companies should be required to do in data breach cases.
"For the longest time, people have said it's the consumers' fault," Douglas said. "They don't shred their bank statements at home, or what have you. But since the California law was passed now we are learning how much of this information has been breached and is floating around out there."
"We try to be proactive in cases like this," Kinney said. "We followed our own process of being open and proactive."
Kinney said the tapes, which require specialized equipment to access, were the responsibility of the company's information resources group. Citing company policy, he declined to say if anyone from the group had been dismissed or disciplined because of the disappearance of the tapes.