When I heard about the latest data loss in a well-known hotel chain, I was not enthused. It was more than 10 years ago that I joined the hotel’s guest program and I have stayed in many different places within their chain mostly on business travel though.
Let me share my experience. I learned about the hack from the public press around end of November 2018. The article included a link to a website from the hotel chain specifically informing about the data breach. At this point it was a quite open information that their systems had been breached and identity data stolen. Customers should accept communication via email soon and/or check this website often.
On December 11, I received a first and long email detailing information on what had happened, phone numbers for more information and upcoming options for enrollment in a free of charge identity watch service. I received another email on December 15, with instructions on how to enroll.
On December 17, I called the hotline and was told that it was too early to let customers know exactly which data had been stolen for their respective identity, but I was informed that as soon as the hotel had this information it would be shared with me. In the meantime, I could find out which identity information the hotel chain has on file about me and I was again informed about the free of charge identity watch service and how to enroll.
I went to the website and requested to receive the personal data that the hotel has about me. The website gave the information that someone would get back to me within a couple of days.
Secondly, I signed up for the identity watch service, that immediately alerted me that presumably someone used my email to enter a social website, so I immediately changed that password.
On January 7th I received an email asking me for more information so that the hotel chain could verify my information and give me the details on what personal information was stolen. This email also stated that this might take up to three months to get back to me with details, once I provided the needed information, which I did on January 22nd.
On February 14, I finally got all information that was deemed stolen in the data hack. Luckily no credit card data was involved, but address, email and telephone data, although I believe this will be my company address.
In retrospect, it took the hotel chain a good six weeks (over Christmas) to get back with the information. I really appreciated the open, transparent and comprehensive information given.
If you are a company that must store personal data, you really need to secure this data. Unfortunately, you must prepare for when an incident is going to happen. In this day and age, you cannot assume that you will not get hacked. Rather you must figure out how to deal with it.