data breach- other guest's invoice
#1
Moderator, Turkish Airlines Miles&Smiles & Accor ALL
Original Poster
Join Date: Apr 2009
Location: BRU
Programs: TK*G, Accor ALL Platinum
Posts: 7,592
data breach- other guest's invoice
In move that does not inspire any confidence in Accor's ability to deal with private and sensitive data I today received out of the blue a hotel invoice for a guest totally unknown to me for a stay that ended today:
The email included the full invoice, including the masked CC details. I do have a booking for this hotel but for a future date and I am certainly not Mme XXXX. I initially freaked out thinking it was my details and CC that were hacked but the numbers do not match. It beggars belief that they would be so careless with handling guests' data.
Dear Mme XXXXX,
We are pleased to confirm that you are registered for « FAST CHECK-OUT ».
This service invites you to simply drop off your key upon departure and your credit card will be debited based on your final invoice (except already prepaid invoices).
Please find herewith your expenditure statement (*)
We hope to have brought you full satisfaction during your stay in our hotel and remain at your entire disposal.
Book on all.accor.com and live your passions to the fullest with ALL – Accor Live Limitless.
Yours sincerely,
The Novotel Luxembourg Kirchberg team
We are pleased to confirm that you are registered for « FAST CHECK-OUT ».
This service invites you to simply drop off your key upon departure and your credit card will be debited based on your final invoice (except already prepaid invoices).
Please find herewith your expenditure statement (*)
We hope to have brought you full satisfaction during your stay in our hotel and remain at your entire disposal.
Book on all.accor.com and live your passions to the fullest with ALL – Accor Live Limitless.
Yours sincerely,
The Novotel Luxembourg Kirchberg team
#2
Join Date: Mar 2005
Programs: IHG Diamond Ambassador, Accor Plat, M&M FTL, BA Blue, QR Gold
Posts: 3,740
In move that does not inspire any confidence in Accor's ability to deal with private and sensitive data I today received out of the blue a hotel invoice for a guest totally unknown to me for a stay that ended today:
The email included the full invoice, including the masked CC details. I do have a booking for this hotel but for a future date and I am certainly not Mme XXXX. I initially freaked out thinking it was my details and CC that were hacked but the numbers do not match. It beggars belief that they would be so careless with handling guests' data.
The email included the full invoice, including the masked CC details. I do have a booking for this hotel but for a future date and I am certainly not Mme XXXX. I initially freaked out thinking it was my details and CC that were hacked but the numbers do not match. It beggars belief that they would be so careless with handling guests' data.
#3
#4
Join Date: Mar 2005
Programs: IHG Diamond Ambassador, Accor Plat, M&M FTL, BA Blue, QR Gold
Posts: 3,740
#5
#6
#7
Moderator, Turkish Airlines Miles&Smiles & Accor ALL
Original Poster
Join Date: Apr 2009
Location: BRU
Programs: TK*G, Accor ALL Platinum
Posts: 7,592
By way of update, the hotel in question and the Accor Data Controller have acknowledged the data breach. The hotel acknowledged its mistake and profoundly apologised. It also provided an extensive explanation how this mistake occurred (human error, processes not followed when front and back office tasks by performed by the same person in contravention of its procedures).
#8
Join Date: May 2015
Location: RBA / TBS
Programs: AF Gold / Accor Gold / Hilton Diamond / TP Silver / A3 Gold
Posts: 2,763
Ok seems we have different definitions , a data breach for me is when a unauthorised 3rd party gain access to systems (or physical data in case of non digital) intentionally
i think this case is rather an error or misconfiguration , either caused by a bug or human mistake , but yeah you took the right step to reach both entities and signal this issue
However is this is due to a real data breach (someone got into the hotel IT systems or Accor IT) then both would be in troubles and based on current EU + LU laws (GDPR for instance) this would be another story
i think this case is rather an error or misconfiguration , either caused by a bug or human mistake , but yeah you took the right step to reach both entities and signal this issue
However is this is due to a real data breach (someone got into the hotel IT systems or Accor IT) then both would be in troubles and based on current EU + LU laws (GDPR for instance) this would be another story
Last edited by fifty_two; Mar 11, 2024 at 4:31 am
#9
Moderator, Turkish Airlines Miles&Smiles & Accor ALL
Original Poster
Join Date: Apr 2009
Location: BRU
Programs: TK*G, Accor ALL Platinum
Posts: 7,592
Ok seems we have different definitions , a data breach for me is when a unauthorised 3rd party gain access to systems (or physical data in case of non digital) intentionally
i think this case is rather an error or misconfiguration , either caused by a bug or human mistake , but yeah you took the right step to reach both entities and signal this issue
However is this is due to a real data breach (someone got into the hotel IT systems or Accor IT) then both would be in troubles and based on current EU + LU laws (GDPR for instance) this would be another story
i think this case is rather an error or misconfiguration , either caused by a bug or human mistake , but yeah you took the right step to reach both entities and signal this issue
However is this is due to a real data breach (someone got into the hotel IT systems or Accor IT) then both would be in troubles and based on current EU + LU laws (GDPR for instance) this would be another story
The GDPR guidelines are pretty clear:
The GDPR defines a “personal data breach” in Article 4(12) as:"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” ...Finally, unauthorised or unlawful processing may include disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data, or any other form of processing which violates the GDPR.