When your credit card gets compromised at a hotel

David Eviston/Shutterstock
David Eviston/Shutterstock
A day after Sheilah Reardon checked into the Bellagio Las Vegas, she received an e-mail alert from American Express warning that her credit card had been compromised. Among the fraudulent charges: a $67 bill from an online memorabilia store.

A day later, her friend Jennifer Henderson got a call from a MasterCard representative. Her card number had also been stolen. The thieves had made a $67 charge at the same online store moments after they hit Reardon’s account.

“We had checked into the Bellagio at the same time, side by side,” says Reardon. She and Henderson believe that their credit cards were targeted while they were at the resort — most likely while they were checking in — because it was the only time when their cards were used together. Reardon says that she hadn’t used her card, a “travel-only” Amex, since a trip to Florida last summer.

This kind of identity fraud cost American businesses and consumers $21 billion in 2012, the most recent year for which numbers are available, according to Javelin Strategy & Research. It found 12.6 million victims of identity fraud in the United States that year, the highest level since 2009. Javelin’s figures also include data breaches and other types of fraudulent purchases.

Identity fraud is a perennial concern for travelers, and particularly for hotel guests whose cards are frequently used on the road. But the problem seems to be getting worse, and there’s no quick or easy fix.

Bellagio claims that it takes “strict precautions” to maintain the security of its guests’ digital information. After Reardon complained of the breach, it contacted her multiple times in an effort to take a full report, but she declined to give one, according to the hotel.

“We regret we were unable to utilize our full resources to bring this matter to a more satisfactory conclusion, but maintain that our security measures are effective,” says Mary Hynes, a spokeswoman for the resort.

Reardon, a school administrator from Raynham, Mass., insists that she filed a complaint but didn’t have time for the lengthier debriefing, since she was on vacation. Besides, she says, she was left with the impression that the hotel was indifferent to her and her friend’s problems while they were staying there. “At least they could have pretended to care,” she says.

But Bellagio’s initial response as described by Reardon may be typical of the hotel industry, which is often careless about customer data and dismissive of fraud complaints, say experts and guests.

“Hotels are a massive source of credit card fraud,” says John Sileo, a digital privacy expert who runs the Web site Sileo.com. “In fact, the travel industry in general is ripe for the picking because of a variety of factors, including the distraction of travelers, high usage of credit and debit cards, high turnover of employees, and failure to perform employee background checks.”

Sileo believes that Henderson’s and Reardon’s breaches probably occurred at their hotel, but he can’t be sure who was behind the theft. Their cards may have been compromised while they checked in, with an employee swiping their cards and then feeding the information to someone else. Or someone else standing near the check-in area and using a smartphone could have recorded their card numbers and verbal data, leading to the compromise. “The chances of it not being internal to the hotel — either an employee or a thief standing nearby — is minuscule,” he says.

I checked in with a reader who works in the security department of a major chain hotel in New Orleans about the precautions hotels do and don’t take when it comes to their customers’ security. He said that guests might be shocked if they took a look at the computers being used to check them in. He recently inspected front-desk terminals at his hotels, even though information technology isn’t part of his job.

“They hadn’t been updated in years, with thousands of updates needed,” he says. “I discovered that one computer was filled with adware, which is bad enough, but the other had a full virus network, with keyloggers as well as worms. It had its own database and a way to send guests’ personal information off-site to its own servers.”

For the non-techies out there, keyloggers record passwords and other secure information and send it to a third party; a worm is a form of computer malware that replicates itself to spread to other computers.

How can hotel guests protect themselves?

“They can’t,” says Robert Siciliano, a security expert who publishes the site BestIDTheftCompanys.com. “Credit cards can’t be protected.”

The only way to minimize the damage is to monitor your credit card statement and report any suspicious activity. A longer-term solution, which is to upgrade credit cards to more expensive and secure chip-and-PIN technology, is on the horizon, but probably not in time for your next hotel visit.

Both Henderson and Reardon quickly verified the fraudulent activity on their cards. Their financial institutions removed the bogus charges, canceled their cards and promptly issued new ones.

The Bellagio, for its part, wasn’t entirely unsympathetic. Even though the guests didn’t complete a formal report, the hotel zeroed out their mandatory $25 a day “resort fee,” which includes in-room high-speed and wireless Internet, in-room local and toll-free calls, fitness center access and airline boarding pass printing.

Over six days, that shaved $150 off each of their bills, which is almost better than an apology.

Do hotels do enough to protect your credit card?

View Results

Loading ... Loading ...

Christopher Elliott

Christopher Elliott is an author, journalist and consumer advocate. You can read more about him on his personal website or contact him at . Got a question or comment? You can post it on the new forum.

More Posts - Website - Twitter - Google Plus

  • EdB

    [i]Target has not officially announced what caused the breach. Anything stated here about the cause is speculation.[/i]

    They why were you stating “The Target issue was key logger software that got installed in the terminals at the cash registers.” as a fact when you knew that was not true according to your second statement that there was no official announcement as to the cause? Target has announced that the criminals forced their way onto their system.

    https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ#q5888

    [i]However, it is a fact that Target follows every requirement the major credit card companies have in place to protect cardholders (i.e. not retaining PIN numbers[/i]

    If they were following every requirements (i.e. not retaining PIN numbers) then why…

    “Target confirmed Friday that debit card PIN data was stolen in itsrecent massive breach, reversing its earlier stance that the codes were not part of the hack.”

    http://money.cnn.com/2013/12/27/technology/target-pin/

    https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ#q5921

    [i]We know they follow the rules because hey have passed every inspection the credit card companies have made.[/i]

    And where did you see that they had even been inspected or even inspected recently? And can you provide any reference that merchants are routinely audited for security compliance? Seems that only happens after a breach is detected. And how good could the inspection have been if they missed the fact Target was retaining PIN information, which you claim to be a violation of the rules?”

    And as far as being in complaint to those rules…

    “The fact is you can be PCI-compliant and still be insecure. Look at online application vulnerabilities. They’re arguably the fastest growing area of security, and for good reason — exposures in customer-facing applications pose a real danger of a security breach.”

    Greg Reber, http://searchsoftwarequality.techtarget.com/news/1335662/PCI-compliance-falls-short-of-assuring-website-security

  • MarkKelling

    PIN info was stolen during the time it was entered on their systems and forwarded on to the card issuing bank for approval of the transaction. That is why I shared my opinion that it was a key logger virus that was used. There is nothing that would indicate the PIN data was left anywhere on the Target systems in some file that was simply copied off. I should have noted in my original post that it was only an opinion I was giving. I will try and remember to do so more clearly in any future posts here.

    Target stated that the “criminals forced their way onto the system” which sounds better than “we left an open port attached to the internet allowing anyone who knew what they were doing to get into our systems.” The exact process used by the criminals still has not been publicly stated.

    Every large merchant is audited/inspected at least every two years by Visa and MasterCard (probably by other card issuers too). If a merchant fails that audit, it is made public information. I agree that the current PCI rules may be lax in many aspects and being compliant does not insure that something like the Target breach could not happen.

  • EdB

    Okay. For the sake of argument, let’s accept your premise that 1) the merchant was audited within the last 2 years. 2) They passed the audit. And 3) an open port was used to obtain the information.

    This only supports the claim that merchants don’t do enough to protect customer data. Anyone working IT knows an open port is a security risk. So regardless if the audit allows for open ports, or missed the port being left open, the fact that the merchant’s IT left it open shows a lack of caring. Either by not hiring competent people or they are doing just enough to pass an audit procedure that doesn’t really protect the data, or a combination of both.

    But regardless what was the underlying exploit used in this breach, we know that merchants like Target do keep CC info longer than what is needed to process the transaction. Don’t believe it? Go make a purchase with a CC at Target and then take it back for a return. Do they ask you for your CC to process the refund? No. They have it on file where they can bring it up and post the credit to you account. Target is not the only merchant that does this. An until merchants are prohibited from doing this, we are going to continue seeing these massive data thefts from merchants.

  • Benjamin Barnett

    I have seen the booking.com fax have my whole number on it. I noticed it in Spain, but imagine their process is the same everywhere.

  • Brad Grimm

    Days Inn just photocopied my credit card at check-in. I questioned the employee. He said it is schreaded in one year. That makes no scence. Why is a photocopy sitting in their file cabinet? I could just snatch and grab that in 3 seconds right?

  • LadySiren

    Yup, it was probably a small charge to see if the account was active. My credit union called me to alert me to fraudulent activity on my account. Even though I check my accounts religiously, I would’ve never caught this one – the scammers sent through a charge to my debit card for $14 from a bogus hotel in China.

    When the charge went through, they immediately reversed the charge so that it never showed up in the online banking system. Luckily, our credit union is awesome and caught the activity right away. They were actually in the process of alerting me and taking care of getting me a new card, etc. when the second charge for multiple thousands of dollars came in (which of course, it denied). If my credit union hadn’t smelled something funny about that $14 charge, we’d have been dealing with a much larger headache.

  • LeeAnneClark

    I suppose it’s possible that a martian happened to be flying his space ship over the Bellagio at the exact moment she and her friend both used their cards at the same hotel, including a card that hadn’t been used for months and one owned by a totally unrelated person, and the martian used it for the exact same purchase amount at the exact same online store minutes after that one moment in time in which both those cards were used at the same hotel check-in desk.

    I suppose that’s one possible alternate explanation.

  • MarkKelling

    I have no argument with any of your points. I agree that many merchants are lazy when it comes to securing credit card info and probably most other info they keep about their customers. But they need a push to do more and maybe some event like this will finally convince them they need to do more.

    And on the return, the merchant must keep enough info on file to built the return request transaction to send back through the credit card network so that the credit can be posted to your account. This can be tokenized information like transaction sequence numbers and other unique pieces of data that do not even include the actual card number (and returns do not require a PIN for debit cards). Whether or not Target uses that process, I don’t know. But the return process is driven by the requirement most merchants have that a refund must go to the original form of payment. If they could refund any old way, then you would be required to present a credit card at the time of refund if you wanted the refund that way.

    (And no I don’t work for Target or any other merchant that suffered a loss, so my comments are not meant to defend any of their processes for any merchants.)

  • LeeAnneClark

    Best comment in the thread!

  • Daddydo

    Reardon did not have the time to file a proper report because she was on vacation? This in itself explains how credit card fraud is expanding. AX is a great company, as they list to fraud complaints and respond immediately.They have assisted me twice over the years. But he hotel was trying to figure out where the breach was, and Reardon wouldn’t give them the time of day. So sad.

  • cahdot

    I hope the credit card company was able to stop the memorabilia order and get the address where it was to be sent???

  • Michael

    Well, the simple solution there is for hotels to learn they DON’T need my card number until I check in. Frankly I’m getting a little tired of the lodging industry thinking they are the airline industry. Hotels should NEVER be pre-paid or nonrefundable. The hotel is the end game and my getting there to use their service is dependent upon the rest of the providers, the flight could cancel or divert, weather, natural disaster, or even political instability may force a last minute change to another location, etc.

  • Lindabator

    And when you fail to show, the one night charge gets to them how? This would only drive up costs even more as people make bookings and never bother to cancel since THEY have nothing to lose.

  • bringbackrocky

    Isn’t it wonderful that the hotel “zeroed out their mandatory $25 a day resort fee”? So they eliminated a fee that’s completely bogus in the first place because they could build it in to their rates (which they won’t do, because then their rates won’t look artificially low) but choose not to do it. Does it really cost the hotel $25 a day to provide wi-fi or let a guest print a boarding pass? Not in a million years.

  • TMMao

    Reputable hotels will waive the cancellation fee for a good reason. Reputable guests should pay the cancellation fee unless they have a good reason not to.

  • Michael

    I don’t know. I guess the answer would be how did hotels manage until about 5 to 10 years ago?

  • Carver Clark Farrow

    I suppose the ease of booking a room on the internet makes people more cavalier about bookings. That’s just a guess on my part. I remember prior to internet reservations, booking a hotel room was a serious affair. We only booked it after we were sure that we needed it. I think it is the lack of human contact which makes it easier to book and cancel, book and cancel

    As far as prepaid goes, that’s a real choice. Unlike airlines, there are usually many hotels to choose from and more importantly unlike airlines, getting a fully flexible rate rarely costs substantially more. I generally avoid prepaid rates unless the chances of me cancelling is remote. I’ve usually book prepaid rates from the lobby of the hotel.

    While it is true that a flight could cancel or divert, weather, natural disaster, etc, may cause you have to cancel your hotel stay, those are the exceptions, not the rule. The vast majority of your hotel reservations will not be cancelled because such occurrences.’

    Just my $0.02

  • Michael

    Mostly I agree with you. Just as you have noticed, so far it’s still fairly easy to find a fully flexible rate. My concern is that just as airlines started out with the deeply discounted 21 day out bookings being nonrefundable and today all but the most expensive are nonrefundable, and in at least Jet Blue’s case there is no such thing as a fully flexible booking, I fear some day the hotels will go the same way. In fact I am already seeing signs of this. Just last month in London for a single night midweek booking I was unable to find a fully flexible booking 2 days before my trip unless I wanted to use a chain hotel in the completely wrong part of London. Last year I learned the hard way when I had to arrange a last minute business trip to Honolulu that apparently Valentines week is huge in Hawaii. Hey, what did I know, I haven’t been to Hawaii in over a decade for either business or pleasure and I’m single so Valentines day to me is just another day on the calendar. That week every property wanted fully prepaid no changes, joy. It was a close call as I was leaving NYC the Monday after the 33 inch blizzard. I was lucky my flights all operated and I found a car service willing to come out to the burbs on still unplowed roads. I suppose I could see the point of prepay nonrefundable if I was booking a room months, or even weeks, out, but not when I am booking 1 to 3 days before the trip. Like most travelers I don’t travel on months notice, my trips are either business (get there now and fix this) or I finally have the down time to get away for a few days. Frankly I don’t know anyone who can say now at the end of January commit to a set plan and dates 3 weeks or more out and know nothing will change at all. So as a result I don’t even understand how airlines market those 21 day advance purchase nonrefundable tickets.

  • Carver Clark Farrow

    You make some good points , paragraphs please though

    ;p

    I’m not particularly worried about hotels. Hotels have infinitely more competition that airlines. They’re only three legacy airlines in the US. There are innumerable chains and independents.

    I would expect that the circumstances that you describe are not normative, but occurred because of extremely high occupancies, which causes hotels to behave more like airlines.

    The 21 day advance purchase makes sense for vacationers. My friends are teachers. Summer vacation is pretty much set in stone. The chance of something bad happening is remote enough that the risk is reasonable.

  • EdB

    Just a FYI. Depending on the way someone responds, Disqus may remove the paragraph breaks.

    It does it to me all the time when using mobile devices.

  • Carver Clark Farrow

    You’re 110% correct. If I use IE, I have to save the post then edit the paragraph breaks back in. Just one of the many reasons I ditched IE