Wow, that really stinks. Thankfully AmEx took care of it, but also what a major inconvenience. I agree with your conclusion as to what happened. I had one other thought though ... do you have that credit card "registered" on the HI (or any other) web site for reservation purposes? I only mention that because I had a credit card comprimised in that manner and I would never have thought about it except it was big enough to have made it on MSNBC.com and some friends had it happen to them also. Like I said, I agree with you about that seems to have taken place. I appreciate you telling us because I just doubt the web security some of these companies use. Remember the CO incident of emailing everyone's credit card numbers to them in confirmation emails. I am sure there are many other examples. In this case it seems like some of those people just can't be trusted.