When your credit card gets compromised at a hotel

Photo of author

By Christopher Elliott

A day after Sheilah Reardon checked into the Bellagio Las Vegas, she received an e-mail alert from American Express warning that her credit card had been compromised. Among the fraudulent charges: a $67 bill from an online memorabilia store.

A day later, her friend Jennifer Henderson got a call from a MasterCard representative. Her card number had also been stolen. The thieves had made a $67 charge at the same online store moments after they hit Reardon’s account.

“We had checked into the Bellagio at the same time, side by side,” says Reardon. She and Henderson believe that their credit cards were targeted while they were at the resort, most likely while they were checking in. It was the only time when their cards were used together. Reardon says that she hadn’t used her card, a “travel-only” Amex, since a trip to Florida last summer.

Millions affected by identity fraud

This kind of identity fraud cost American businesses and consumers $21 billion in 2012, according to Javelin Strategy & Research. It found 12.6 million victims of identity fraud in the United States that year, the highest level since 2009. Javelin’s figures also include data breaches and other types of fraudulent purchases.

Identity fraud is a perennial concern for travelers, and particularly for hotel guests whose cards are frequently used on the road. But the problem seems to be getting worse, and there’s no quick or easy fix.

Bellagio claims that it takes “strict precautions” to maintain the security of its guests’ digital information. After Reardon complained of the breach, it contacted her multiple times in an effort to take a full report. She declined to give one, according to the hotel.

“We regret we were unable to utilize our full resources to bring this matter to a more satisfactory conclusion. We do, however, maintain that our security measures are effective,” says Mary Hynes, a spokeswoman for the resort.

The hotel could have pretended to care

Reardon, a school administrator from Raynham, Mass., insists that she filed a complaint but didn’t have time for the lengthier debriefing, since she was on vacation. Besides, she says, she was left with the impression that the hotel was indifferent to her and her friend’s problems while they were staying there. “At least they could have pretended to care,” she says.

MedjetAssist is the premier global air-medical transport, travel security and crisis response membership program for travelers. With a MedjetAssist membership, if you become hospitalized more than 150 miles from home, we will get you from that unfamiliar hospital all the way home to the hospital you trust. All you ever pay is your membership fee. MedjetHorizon members add 24/7 personal security and crisis response benefits. Elliott.org readers enjoy discounted rates. Travel safer with MedjetAssist.

But Bellagio’s initial response as described by Reardon may be typical of the hotel industry. It is often careless about customer data and dismissive of fraud complaints, say experts and guests.

Hotels are a massive source of credit card fraud

“Hotels are a massive source of credit card fraud,” says John Sileo. John is digital privacy expert who runs the Web site Sileo.com. “In fact, the travel industry in general is ripe for the picking because of a variety of factors, including the distraction of travelers, high usage of credit and debit cards, high turnover of employees, and failure to perform employee background checks.”

Credit card fraud, identity theft and petty theft are just a few concerns for travelers at most hotels.

Sileo believes that Henderson’s and Reardon’s breaches probably occurred at their hotel. Unfortunately, he can’t be sure who was behind the theft. Their cards may have been compromised while they checked in, with an employee swiping their cards and then feeding the information to someone else. Or someone else standing near the check-in area and using a smartphone could have recorded their card numbers and verbal data, leading to the compromise. “The chances of it not being internal to the hotel — either an employee or a thief standing nearby — is minuscule,” he says.

Customers’ security compromised

I checked in with a reader who works in the security department of a major chain hotel in New Orleans about the precautions hotels do and don’t take when it comes to their customers’ security. He said that guests might be shocked if they took a look at the computers being used to check them in. He recently inspected front-desk terminals at his hotels, even though information technology isn’t part of his job.

“They hadn’t been updated in years, with thousands of updates needed,” he says. “I discovered that one computer was filled with adware. The other had a full virus network, with keyloggers as well as worms. It had its own database and a way to send guests’ personal information off-site to its own servers.”

For the non-techies out there, keyloggers record passwords and other secure information and send it to a third party; a worm is a form of computer malware that replicates itself to spread to other computers.

How can hotel guests protect themselves?

“They can’t,” says Robert Siciliano, a security expert who publishes the site BestIDTheftCompanys.com. “Credit cards can’t be protected.” (Related: American Express freaks out about unpaid $32 bill.)

The only way to minimize the damage is to monitor your credit card statement and report any suspicious activity. A longer-term solution, which is to upgrade credit cards to more expensive and secure chip-and-PIN technology, is on the horizon, but probably not in time for your next hotel visit.

Both Henderson and Reardon quickly verified the fraudulent activity on their cards. Their financial institutions removed the bogus charges, canceled their cards and promptly issued new ones. (Related: A stolen West Point class ring, and all I get from my hotel is an excuse.)

The Bellagio, for its part, wasn’t entirely unsympathetic. Even though the guests didn’t complete a formal report, the hotel zeroed out their mandatory $25 a day “resort fee. This includes in-room high-speed and wireless Internet, in-room local and toll-free calls, fitness center access and airline boarding pass printing.

Over six days, that shaved $150 off each of their bills, which is almost better than an apology.

Do hotels do enough to protect your credit card?

View Results

Loading ... Loading ...
Photo of author

Christopher Elliott

Christopher Elliott is the founder of Elliott Advocacy, a 501(c)(3) nonprofit organization that empowers consumers to solve their problems and helps those who can't. He's the author of numerous books on consumer advocacy and writes three nationally syndicated columns. He also publishes the Elliott Report, a news site for consumers, and Elliott Confidential, a critically acclaimed newsletter about customer service. If you have a consumer problem you can't solve, contact him directly through his advocacy website. You can also follow him on X, Facebook, and LinkedIn, or sign up for his daily newsletter. He is based in Panamá City.

Related Posts