Upon reading The Register and CNET accounts of a laptop stolen from an Ernst & Young employee’s car, I was not pleased to learn that I could be a victim, as the one time I used Hotels.com was in March of 2003. “Thankfully” since I’m already an identity theft victim, I have taken action to monitor my identity and hopefully prevent future fraud.
If the CNET report is accurate, it makes a case for why it’s really up to you to actively manage your private information. They say there was a several month lag from the time the laptop was stolen and customers were notified.
They also say that “the information on the laptop may have included your name, address and some credit or debit card information you provided.” (Don’t they know for sure?)
Interestingly the Hotel.com FAQ says: “We never divulge any information in our fully encrypted database account to anyone without your consent."
- So does this mean my credit card was encrypted or not?
- Anyway, why does someone auditing a company need to see my credit card number?
In my opinion, sending letters is not an acceptable, timely mechanism. 2003 was a long time ago. I doubt I’m the only person who has moved a couple of times and is unlikely to receive the letter. The call center has said they are only sending letters and there is no other way for me to find out if I was affected.
Companies whose customer data has been compromised should not only send letters but:
- Email affected customers (I know I didn’t check off “email me when my personal information is
stolen” in preferences. But most consumers would likely allow this exception.)
- Email customers who were not affected, to prevent worry.
- Tell users if our passwords were unencrypted so we can know if we should change them on the affected site as well as others.
June 4 Update – Credit monitoring for affected Hotels.com customers:
According to an AP story: "Ernst & Young invites those affected by the incident to enroll in a free credit monitoring service arranged by the auditor."