Thursday, 23 October 2003

Personal data stored on hotel card-key mag stripes

As tracked down (in spite of the initial skepticism of your truly about his initial less detailed reports) and posted by Jay Melnick of TravelBank Systems on his own Web site and in the Travel Guide Writers' Email List, here's more on the storage of personal information from reservation records (including names, addresses, and credit card numbers) on the mag stripes of hotel card keys:

In a message dated 10/22/2003 5:16:13 PM Mountain Standard Time, rnanning@cityofpasadena.net writes:

The following information is in response to numerous inquiries about an e-mail that was distributed regarding hotel card keys and personal information. Please take note and feel free to share with any constituents who may also have concerns.

On October 6, 2003, Detective Sergeant Kathryn Jorge of the Pasadena Police Department received information from a group of Southern California fraud detectives who had formed a fraud investigations network through a local internet carrier. One of the members of this group from another San Gabriel Valley agency reported that in an investigation that he was personally involved in, he came across a plastic hotel card key from a major hotel that had personal information that could potentially lead to identify theft and fraud. This information included names, addresses, length of stay, and credit card numbers. This detective took the precautionary measure of notifying the detectives in the network prior to seeing if this practice was standard in the industry.

As the investigation into this potential fraud risk continued, this information was shared with other members of the Pasadena Police Department and personnel chose to share this information with others before we could correctly evaluate the risk. This has caused a chain reaction of probably thousands of people being given this information before the risk was evaluated thoroughly.

As of today, detectives have contacted several large hotels and computer companies using plastic card key technology and they assure us that personal information, especially credit card information, is not included on their key cards. The one incident referred to appears to be several years old, and with today's newer technology, it would appear that no hotels engage in the practice of storing personal information on key cards. Please share this information with anyone who has a concern over the initial information send out to others as a precautionary measure.

There was never the intent of the Pasadena Police Department to forward this information to others before the risk was evaluated. The information was forwarded by individuals as a possible precautionary note of interest only.

Janet A. Pope

Adjutant to the Chief of Police/Public Information Official

Pasadena Police Department

626.744.4537

Thanks again to Jay Melnick for getting to the root of this story.

Christoper Elliott, who also has a travel blog, says that "It's an urban legend." But I wouldn't take the "assurances" that this isn't still happening (at the specific hotels contacted by one local police department) as conclusive, or as indicative of industry norms. What this really goes to show is that there is still no culture of privacy consciousness in the travel industry -- and that people from places with real privacy laws are right to demand the same in the USA before they do business with travel companies in the USA.

Link | Posted by Edward on Thursday, 23 October 2003, 09:24 ( 9:24 AM) | TrackBack (0)
Comments

More at:

http://www.snopes.com/crime/warnings/hotelkey.asp

Posted by: Richard Finegold, 27 October 2003, 10:50 (10:50 AM)

I definitely think it's an urban legend. There's some more information about hotel door cards and identity theft here - http://www.creditbloggers.com/2005/11/hotel_card_urba.html

Posted by: , 11 November 2005, 16:22 ( 4:22 PM)

Good Information....There's some more information about hotel door cards and identity theft here...

Posted by: Stanislav, 1 February 2007, 06:12 ( 6:12 AM)

Stolen "mag stripe" data is the holy grail for card thieves

Posted by: Travel Guide, 30 March 2007, 10:10 (10:10 AM)

I worked in a hotel for years and can guarantee you that hotels do NOT incode your credit card information into the keys. Why would they? If a hotel clerk wants to steal your credit card information all they need to do is look in the computer and write the numbers down. Just as a waitress can when you hand her your card and she walks away to get approval.

They cardkey is incoded with your room number, the number of days the key is good for, and a random security code, that is it. SOME systems may include your name, but its unlikely as the more information the key holds the more expensive it is to encode them. Since not everybody returns their key it would not be worth the investment.

Posted by: Diana, 22 January 2010, 05:42 ( 5:42 AM)
Post a comment









Save personal info as cookie?