Great question. It does make you wonder though. Every single time I have ever checked into a hotel (which is hundreds and hundreds of times over the years), I have been asked to present ID at check-in. The episode I described above probably happened in 2010 or thereabouts, so I'm not sure if mobile check-in even existed yet. So, yes, it's possible that it was an inside job. SPG was pretty tight lipped about the details of what happened, other than insisting that I get a new membership number since my old one was compromised. And if memory serves, they let me keep the credit for the fraudulent stay for the inconvenience.