When you check in, your privacy may check out

Several days after Traci Fox visited a small independent resort in the Catskill Mountains, she received an unexpected call from a shoe store. Where did she want it to ship the $400 worth of pricey sneakers that she’d ordered?

Just one problem: She hadn’t purchased any footwear. As Fox, a college professor from Philadelphia, rummaged through her pocketbook to find her credit card, the phone rang again.

“It was Coach handbags asking if I wanted the $750 worth of handbags shipped to a different address,” she says. Calls to her credit card revealed another bogus charge for $7,500 at Home Depot.

“Of course, I wasn’t liable for anything,” she says. “But it was still scary and frustrating.”

Fox believes that her hotel may have compromised her credit card information. At least one government agency shares her concerns. Last summer, the Federal Trade Commission sued Wyndham Hotels, alleging that the company had failed to protect its customers’ personal information. As a result, the FTC claims, hundreds of thousands of credit card numbers fell into the wrong hands, leading to millions of dollars in fraud-related losses. Wyndham denies any wrongdoing and is fighting the suit.

“Data security is becoming an issue of significant importance in the hospitality industry,” says Mark Schreiber, an attorney specializing in hospitality law at the Boston firm of Edwards Wildman Palmer. He cites an increase in hacks and malware attacks, which frequently target hotel systems because they’re a rich source of personal information.

Identity theft expert John Sileo says that there’s another reason hotel guests are vulnerable to having their personal information stolen: They’re easily distracted. “We just don’t pay attention to the details when we’re running through airports and staying in unfamiliar places,” he says. “It’s easier to miss something and to be careless.”

Data breaches can happen anywhere within a hotel. Ann Azevedo, an engineer who lives in Hartford, Conn., checked out of a chain hotel in Seattle not long ago. A few days later, someone used her card to buy gas on the other side of the country, she says. The likely source of the breach was an ATM machine at the hotel. “I canceled the credit card,” she says. “And I’ll never use a hotel ATM again.”

In the past, hotels and travelers assumed that rogue hotel or restaurant employees were to blame for the theft of personal information, according to data privacy expert Edward Hasbrouck. But that’s no longer true. Today, hackers aren’t just targeting data on hotel systems but also the information passed along to reservations systems. “Credit card theft is much easier — and more likely — through large-scale hacking,” he says.

In the FTC’s lawsuit, for example, the agency alleges that Wyndham assured customers that it recognized “the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests.” Yet it failed to take security measures such as requiring employees to generate complex user IDs and passwords and to properly install firewalls and network segmentation between the hotels and the corporate network, according to the agency.

Hasbrouck knows about data theft firsthand. Data thieves swiped his partner’s credit card info after a recent hotel stay. Although she tracked the order down to an address, the credit card company let the matter drop after reversing the charge. The incident made Hasbrouck and his partner realize how powerless consumers are when it comes to preventing data theft and that there probably aren’t enough laws to protect travelers from such crimes.

It’s difficult to take preventive steps, say experts. Apart from paying with cash, there’s almost no way to tell whether a hotel will treat your personal information with care or whether it will leave a backdoor or firewall unguarded for hackers to steal your credit card information. Large hotel chains will post their data protection policies online, “but they won’t make much sense to the average consumer,” says Richard Alderman, who directs the Center for Consumer Law at the University of Houston Law Center.

“I think consumers should continue to deal with hotels as they have in the past, knowing that almost all hotels are as concerned with customers’ privacy as are the customers,” he adds.

The FTC case, which is being widely watched in the hotel industry and could set minimum standards for data protection, is unlikely to dramatically change the way most hotels handle your credit card information. Bob Schoshinski, an FTC assistant director for the privacy and identity protection division, says that the government simply wants Wyndham to do what its privacy policy states.

Beyond that, guests need to know what Fox and Azevedo already do: that the information they give up at the check-in counter can potentially be seen by many parties, including criminals. “I wouldn’t say that you should be concerned,” says Schoshinski. “But hotel guests should be aware of what data they’re giving. Read the privacy policy. Know what it says.”

The problem may run deeper than the theft of credit card numbers, however.

The personally identifiable information in your guest profile, such as your home address, your license plate number and your date of birth, which is attached to your reservation, can end up in the hands of a third party that offers little or no warranties about how it will protect your data. “These kinds of areas are more worrisome than some huge Visa bill,” says hotel consultant Marion Roger. “Once your identity has been cloned, you can easily spend years and hundreds of thousands in legal and other fees.”

Apart from having the hotel industry tighten security, the best way to address data theft may be through changes in consumer law. A good starting point might be to tell consumers what information is being collected from them and passed along to third parties, says Hasbrouck.

Such privacy laws exist in Europe and Canada, but American business has resisted them. “Most travelers would be shocked to know how many other companies the hotel may have given [the information] to in the normal course of their business,” Hasbrouck says.

Do hotels do enough to protect your privacy?

View Results

Loading ... Loading ...

Christopher Elliott

Christopher Elliott is an author, journalist and consumer advocate. You can read more about him on his personal website or contact him at chris@elliott.org. Got a question or comment? You can post it on the new forum.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus

  • KaraJones

    This article is very timely. Just last week, I received an email alert that my elderly father’s card had been used to charge something at a few women’s clothing stores. About an hour later, I got another 2 emails that it was used at an expensive department store. I called the credit card company (AMEX) and they were great. They cancelled the card immediately, expedited out a new one, and reversed all of the fraudulent charges. We have no idea how and when the card number was compromised – my Dad still had it in his possession. And these purchases were made in person in stores – not online, so someone had a card made with his number.

    So, what was a huge help was the fact that quite a while ago, I set up the account so that every purchase over the amount of $1.00 would automatically generate an email alert to me. And by doing just that, as soon as the bogus charges went through, I was notified. And that meant that within an hour of the fraudulent charge, I was already on the phone with AMEX putting a stop to the problem.
    This is a feature that everyone should use and all of the credit card companies offer some form of customizable alerts at no cost. In this way, if your card is compromised at a hotel or anywhere else, as soon as it is used, you’ll know – before they have a chance to ring up your entire credit line.

  • http://flyicarusfly.com/ Fly, Icarus, Fly


  • California Dave

    Credit card security has been a high priority issue for the hospitality industry for over 6 years, when Visa mandated that hotels meet minimum security standards or risk fines and/or loss of credit card processing services. The requirements not only involved updated computer software (my field), but also, personnel training and strict policies. The large hotel chains that have their own mandatory proprietary software installed have been certified (at great expense) as being PCI/PA-DSS compliant by third-party companies, and the software listed on Visa’s website as compliant. The real problem is the small mom & pop hotel or independently owned franchisee that cannot afford expensive software upgrades and certification, and does not even understand how to train staff in best-practices to avoid risk. Until the U.S. steps up to “chip and pin” (requiring a user pin # be entered like a debit card) like the rest of the world, we will continue to have problems. Can we say ” Metric System”?

  • Boomer Traveler

    We no longer stay at ABV (Americas Best Value) for security/privacy reasons. The copy of your receipt that they print for themselves has your FULL credit card number on it.
    The corporate office responded to this by saying that it’s up to the franchisee to decide what to print. The franchisee where we had most recently stayed said that they have done this for 25 years and never had any information stolen (said he locks it up in a filing cabinet).
    A few calls to other locations revealed the same practice …

  • sweepergrl

    This happened to me two years ago. I booked a room at a family owned hotel here in Houston. Within a few days I received a call from the card company asking if I had ordered thousands of dollars worth of merchandise online, which I hadn’t. The credit card company was great about immediately reversing the charges and sending out a new card. The only place that card had been used was to make the hotel reservation, so unless thieves held onto the card information for more than a month, it was the hotel transaction that was the culprit.

  • Jessi

    As always, very good information. The thing that got me is the call from Coach with “$750 worth of handbags.” I think you can get a Coach wallet for that price, but not handbagS. :).

  • Tamara Murphy

    Truth: Until the U.S. steps up to “chip and pin” (requiring a user pin # be entered like a debit card) like the rest of the world, we will continue to have problems.

    To use a card you need: the account number (printed on the card), the expiration date (printed on the card), the “secret” validation code (PRINTED ON THE CARD), the account holder’s name (printed on the card) and possibly the billing address. Is it really any wonder these get stolen so often and so easily?

  • davork

    Chip and Pin is only a way of minimizing a card issuer’s losses.

    We’ve already had instances in Europe of where chip and pin systems can fail badly (search for Ross Anderson Chjp Pin or click http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf )

    as for the PCI compliance thing, the amount of FUD from the card processors and POS system providers is unreal. The real solution is that the card numbers are never stored in a merchant’s system and that the auth code is the only thing stored. Any other storage should result in the merchant acquirer pulling services from the merchant – and we both know how likely that is!

  • MarkKelling

    The European Chip & PIN cards would reduce this type of fraud (cloned card used in person) considerably. But US banks don’t want to spend the extra $1 per card to issue them. Why should they when all they have to do to cover their losses is raise the merchant fees they charge. Because if fraud costs go down, the banks won’t be able to justify the fees they charge merchants.

    I will be spending time in Europe this summer and had to really search for a US bank that would issue one of those cards to me. There are very few banks in the US that even seem to know what a chip & PIN card is. I finally found one (with no fees!) that looks like it will work for me.

    Also, never ever use a credit card to get money from an ATM unless you are stuck somewhere and that is your only option left. The cash advance fees are outrageous and interest charges start the second that money comes out of the machine.

  • Miami510

    Tangential to this subject is the common ruse of having a
    new credit card opened in one’s name or changing the address of record with an
    existing credit card by thieves who then try to order merchandise using the new
    or altered card.

    Some years ago I put a block on my account at the three redit card agencies. It proved to be both a help and a discomfort. On a few occasions attempts to open a new account by a thief were thwarted. On some occasions, and attempt by me to open
    a new account at a retail store offering a large discount on the initial purchase if I were to open an account at that store, was prevented. They said information on the account was blocked and refused to open the account.
    When we moved and I wanted to change the billing address, I had a lot of
    red tape to contend with. A thief could not have done it. On another occasion I purchased a new car and wrote a check. The check clearing service that dealer used could not get any credit information from one of the credit agencies. That was solved by my going to a local branch of my bank who certified the check.
    It’s a pain, but I’ve never had the problems some friends have had with ID theft.

  • llandyw

    There is yet another way to protect your credit card information. A lot of the CC companies provide this, but not all do. When I need to purchase something online from a source I’m not sure of, I will get a one-time use number from Citibank. If used in a hotel for example, and someone gets ahold of the number, it won’t do them any good as it is a one shot deal and it will already have been used by the hotel.

  • cjr001

    As we’ve seen time and again the last few years, hotels/hospitality are far from the only industry who’s not doing enough to protect customer privacy. Pretty much EVERY industry out there has been hit in some manner.

    In focusing on potential credit card fraud, there was a span of about 18 months there where I or my wife received some kind of notice regarding a possible breach every other month. A couple of times in recent years my wife has had to have a credit card replaced; I’ve also had one of my credit cards automatically be reissued under a new account number.

    So, what is the customer to do when they’re not the ones making it easy for the thieves and hackers?

    Personally, I think the entire system is failing. Businesses aren’t doing enough, the whole ATM/credit card network has some huge flaws in it, and banks just don’t feel that they have the incentive to push for better security either. All the while, countless consumers suffer.

  • nyctraveler

    Correction: you can buy a coach handbag for as little as $200 – I have

  • cjr001

    Hmm, I wonder if this would fall under the provisions of the Fair and Accurate Credit Transactions Act, and how businesses are supposed to handle credit card receipts.

    If they’re still doing it, I’d find out who you can report ABV to, and see if they can be ‘encouraged’ to change this ridiculous policy.

  • Boomer Traveler

    They are permitted to do whatever they please with their copy. Your copy must have only the last 4 digits.

    A strange policy implemented by our government …

  • bodega3

    Our card number was stolen one Thanksgiving time period and it wasn’t discovered untit it was declined on a Xmas purchase. When we called to the card company we found out that we were over our limit on purchases. The thief had enjoyed several nights at a SF hotel, dinner at some nice restaurants, golf purchases, grocery purchases and while I was on the phone with the card company, it was in the process of being used a Macy’s in SF, but was immediately declined. The card company said the card was not being swiped which should be a red flag to the merchant. After this, during the holiday shopping period, I notied a sign up at our local Macy’s stating that if your card doesn’t swipe, it can’t be used.

  • TonyA_says

    Ebay coach company store has sales at least twice a year.

  • TonyA_says

    It is not just the cost of the plastic cards that matter.
    The POS terminals costs a lot more to change.
    Also chip & pin does not protect card not present transactions.
    But I agree, chip & pin will reduce this type of fraud.
    I suspect the USA will be forced to change soon.

  • MarkKelling

    Have you ever actually used one of these numbers for a hotel? Every hotel I have ever stayed at wants a plastic card when you check in. Providing just a number doesn’t work.

  • MarkKelling

    The card number being entered manually is the number one source of fraud, it just takes an accomplice at the business willing to type in a number without seeing the card. Not too difficult, just offer to throw a few dollars at a clerk and you will eventually find one willing to participate.

    In the past, if I forgot my store card, many would provide me with a temporary paper slip useable as a card. None I shop at will do that anymore. Guess there was too much fraud even though I had to provide proof of ID.

  • MarkKelling

    I agree. There are many better ways to protect credit cards from fraud available and even though none are perfect, the banks don’t want to spend the money and merchants don’t want to buy new card terminals every couple years. But until fraud losses reach a level that can’t be covered by new fees to the merchants, nothing is going to change. The recent changes such as the CVV number added to the back of the cards don’t cost much so those went through. But hackers have developed tools that can guess the correct info more times than not. Most fraud detection systems in place are too restrictive for the average card users. Have you ever had your fuel purchase declined while on vacation in a different state? Many people have simply because they don’t travel regularly. Should you have to tell your credit card company your every move? No, but that is the current solution for most banks. Either that or they approve everything and you get stuck fighting the fraudulent charges.

  • nyctraveler

    Thanks for the eBay tip. And if you sign up for their email newsletters, they’ll send you coupon codes for 25% off your entire purchase. :)

  • TonyA_says

    You’re welcome. My wife thinks I am really cheap because I buy her gifts from the coach company store in ebay :-) The goods come directly from their stores or warehouse. This thing is 100% genuine.

  • http://www.facebook.com/CarverFarrow Carver Clark Farrow

    Some hotels will allow you to use the credit card on file for check-in. I rarely use that feature but it is allowed by some hotels, especially for loyalty program members.

  • http://www.talestoldfromtheroad.com/ Dick Jordan

    About a year ago, one of our credit cards was compromised the day after we arrived for a stay in Las Vegas. The same thing happened within a day after returning from Hawaii (where we didn’t stay in a hotel) seven months earlier.

    In both cases, I think it is likely that our card information was either written down or “skimmed” electronically at a restaurant.

    What’s most distressing to me is that neither the banks nor local law enforcement appear to be doing anything to track down and prosecute the thieves.

    Here’s a tip: If you have monthly bills (e.g., phone, utility, cable TV) that are automatically paid will a credit card, use a card that you don’t use (except in an emergency) when traveling. If one of your other cards is compromised while you are on the road, you won’t have your bill payments rejected, and you won’t have to change the card number on all of your “auto-pay” accounts.

    Another tip: Always carry at least two, but only use one, credit card when you travel. If one credit card number is stolen and that card is deactivitated, you’ll still have on card to use.

  • catwonc

    You should try the the Coach Factory Store sales – I have gotten some great Coach purchases for 65% off.

  • Jessi

    Looks like I’ll be doing some shopping then! Thanks for the tips!

  • flutiefan

    people often ask me to take a credit card number, without the actual card, and usually read out by someone over the phone. hell no!

  • Bill___A

    I notice that Marriott prints my passport number on the folio when I stay in their UK hotels. I did not at any time give them permission to do this. I am not comfortable with it. When the passport expires, they will never see a passport of mine for any reason.

  • Bill___A

    Other countries manage to do it without much fanfare. It seems that more and more transactions in the USA do not even require a signature and countless times, one is required to show ID, such a driver’s license, which compromises security even further. I notice B of A offers chip and pin upon request. There is no reasonable excuse not to do this in the USA.

  • astenv

    Cc company does not care. Hotel does not care. Why? Losses are charged back to the merchant. The most innocent and the most unable to absorb the loss.

  • TiaMa

    A couple years ago, I had an issue with a number of fraudulent transactions. I notified the card company. She said the fraud department would get in touch with me and issue me a new card. I insisted that my current card be cancelled and a new one issued at that moment. Good thing, too, because it turned out she incorrectly coded the transactions as “disputed” versus “fraud.” The fraud department never contacted me and later I saw another fraudulent transaction go through for a $200+ dinner in Miami. I called customer service again, spoke with someone else who handled it correctly.

    When the card company sent me the documentation from the restaurant, it included an illegible photo copy of a man’s driver’s license and a copy of the receipt which showed the number had been keyed in and not swiped. I was credited back for all fraudulent transactions, but if an employee is in cahoots, it should certainly be a red flag for the number to be keyed in (with the exception that the strip on the back is damaged in such a way that the card can’t be read).

    Two years ago I was in England where waitstaff at restaurants would bring a portable card reader to the table and scan the card and issue a receipt right in front of the customer. I wish this was more common in the US.

  • http://upgrd.com/roadmoretraveled MeanMeosh

    The problem with the question is that there are a lot of places besides the hotel where things could have gone off the rails. If she was on vacation, the fraud could have occurred at a gas station, a grocery store, a restaurant, etc., etc., etc. Heck, it could have been stolen while she was using the unsecured wireless internet in her room! It’s probably close to impossible to pinpoint exactly where her credit card number was stolen, which brings me to the broader point that merchants and the card companies in general need to do more to protect consumers’ personal information.

  • Joe Farrell

    Just another clear reason to never, never, ever use a debit card anywhere for any purpose. I do not possess a debit card – only an ATM card – and I will never never ever use any machine other than the machine from my bank.

    If your credit card number is stolen or compromised, to use the vernacular, whose money gets taken? The Bank. And you have laws to protect you if you report it promptly.

    If your debit card is stolen or skimmed, whose money is taken first? Then you need to prove you did not do something. As a recent case here on Elliott.org showed, proving you did not take money is very hard. And since the bank needs to put your money back in your account, they take a while to do it usually. Then there is the issue of how many other transactions get reversed or checks bounce with the associated fees and interested etc etc etc. . . .

    Trust me when I say you never ever want a debit card or to use any ATM other than your bank’s own machines.

  • pauletteb

    American businesses are resisting a change that would protect the consumer. No surprise there!

  • pauletteb

    Debit cards are compromised all the time. A cell phone capable of taking videos can record both your debit card # and your PIN as you punch it in. Since this happened to me a couple years ago, the only place I use my debit card in PIN mode is at my bank’s ATM. All other times I use it as a credit card w/o PIN. Someone can still record the card, but (except for Amex) they won’t have the security code.

  • llandyw

    Actually, I have. A Choice property in Tampa. No problem at all since I kept a copy of it in print.

  • Nikki

    OK – as someone that works on the other side of that front desk, handling credit card numbers regularly, please allow me to offer a bit of commentary…

    – You know those AmEx/MasterCard/Visa-branded gift cards that you can purchase for $3 at your local Walmart or *name your national chain store here*? – I would NEVER, ever make a reservation directly with the property or on the hotel’s website without one. That’s a personal preference, and in my view, a wise one: your information can’t be compromised, and even if it is, the damage is minimal. Just purchase one of those cards, throw a nominal amount (5, 10 bucks) on it, make sure it gets to a one-dollar balance… voila, room hold card with protection.

    Another scenario for you… In the event you do cancel your reservation and forget to get a cancellation number… and somehow the hotel decides to bill you as a no-show… guess what, it’s declined. In that case, the term “squeezing blood from a rock” comes to mind. This would also stop a desk clerk or manager from trying to override a decline message and punch in a random set of numbers manually. I’ve seen this happen with managers wanting to get every last dollar from a guest.

    Please understand that this wouldn’t work in the case of a prepaid reservation, or with resorts.
    But it’s a good tool to have, what with all the unscrupulous nutters out there.

    – A good desk clerk will, on your arrival and check-in at the hotel, will not only ask you for your credit card, they will ask you for your identification, even if you insist that the hotel uses the credit card you reserved your room with. We ask for those things to protect YOU. And in the name of protecting yourself with your credit card/s, do yourself a favor and write in the signature area on your cards – “CHECK ID”. It’s pretty rare that I’m ever asked for my identification when I use my cards, and when a cashier or desk clerk asks to see my ID, I thank them for taking the time to do so. The simple gesture not only makes them smile, it gives them motivation to continue to ask for that.

    – That scenario having been said – – – there are times when you want to use your credit card to pay for someone else’s reservation. Hotels worth their salt will demand that you fax them a copy of your ID and credit card, along with a written authorization stating that the hotel is allowed to charge to the CC in question. If you are NOT asked to do that… some red flags should go up in your head, and you should ask to be transferred to a manager on duty to clarify that policy.

    One of the things I’ve learned through working for hotels AND reading this column regularly – you are your own best advocate. If you take a few steps to protect yourself – that’s invaluable time right there. Very little can go wrong when you do that. :D