“When you check in, your private information may be checked out”
I was quoted in Christopher Elliott's "Navigator" column in the Washington Post travel section last Sunday, talking about how personal information we provide to hotels -- including, but not limited to, credit card numbers -- is or isn't protected:
... In the past, hotels and travelers assumed that rogue hotel or restaurant employees were to blame for the theft of personal information, according to data privacy expert Edward Hasbrouck. But thatâs no longer true. Today, hackers arenât just targeting data on hotel systems but also the information passed along to reservations systems. âCredit card theft is much easier -- and more likely -- through large-scale hacking,â he says....
Hasbrouck knows about data theft firsthand. Data thieves swiped his partnerâs credit card info after a recent hotel stay. Although she tracked the order down to an address, the credit card company let the matter drop after reversing the charge. The incident made Hasbrouck and his partner realize how powerless consumers are when it comes to preventing data theft and that there probably arenât enough laws to protect travelers from such crimes....
What are the lessons I've learned form experiences like this, and from my research and experience with computerized reservation systems?
- Consumers and travel businesses need to adjust their "threat model" to include attacks on reservation systems, and not just risks from individual front-line employees of travel companies.
- Because most hotels outsource storage of customer and reservation data to third parties, it's those third parties (CRSs/GDSs and providers of hotel property management systems) that are the key players. There needs to be much more focus on CRS/GDS practices and vulnerability. This raises complicated questions of which parts of the operations of the CRSs/GDSs are under the jurisdiction of the Department of Transportation, the Federal Trade Commission, and/or the FCC. I've been working with the Consumer Travel Alliance to try to get these agencies to coordinate their regulation and oversight of CRS/GDS practices in handling personal information about travellers, and to close the current jurisdictional and enforcement gaps.
- Because data protection is largely out of the control of consumers, travel businesses have to take responsibility for this, and absorb the losses. It would be unfair to hold consumers liable for how businesses do or don't secure our data. The most important thing is to preserve
consumers' credit card "chargeback" rights, which are what give businesses a financial incentive to protect our data.
- In the meantime, the most important thing you can do to protect yourself is always to check your credit card statements promptly and carefully, and dispute any unknown charges promptly and in writing. Use certified mail, return receipt requested. Phone calls and e-mail do not protect your rights. You can almost always get fraudulent charges reversed, but only if you are diligent about checking for them and asserting your chargeback rights.