Sleep Inn Denver Identity theft risk-new ID policy scan/store licenses
Sep 24, 2009, 9:16 pm
#1
Original Poster
Join Date: Jul 2005
Location: Atlántida, Canelones, Uruguay (MVD) and rarely GNV
Programs: AV LifeMiles, CM ConnectMiles, BA Exec Club. Former:ex-ASGold, ex-UA1K, ex-COPlat, ex-NWGold.
Posts: 2,673
Sleep Inn Denver Identity theft risk-new ID policy scan/store licenses
I've stayed at this property at least a dozen times. Recently improved decor over the average Sleep Inn, very friendly and helpful staff. Often asked to show an ID at check-in, to which I never object. That's become standard practice at all Starwoods, many Choice, and the occasional Hilton.
Last night I stayed there after a late arrival to DEN, before driving up the mountain today.
To my surprise, the desk clerk required that I hand her my license, because "we have to scan it and store it in the computer".
What an Identity Theft risk! A small business, with a few computers, no in-house CISSP-certified security experts (not that I'd expect that). Much larger businesses with huge Information Security departments and dedicated full-time 24/7 IT support have been hacked and had personally identifiable information/customer sensitive information stolen. TJ Maxx parent company TJX. Heartland Data Systems, one of the largest Credit Card Processors in the country.
It was 1am, I was dead tired from 6 weeks on east coast time so it felt like 3am, and it was already well-past chargeable no-show time. So against my better judgement, I checked in anyway, though let the (very nice but clueless about the issue) clerk know my opinion and asked she notify the manager.
This morning I spoke with the GM. She claims the owner decided this was a good idea. He had spoken with some other (not local Aurora/Denver) Police Department about how they'd had an investigation and a hotel was able to not only verify a guest reservation/check-in, but confirm the photo/DL and send it to the police.
I demanded that they send me within a week the following:
1. Their (the hotel's, not Choice's) Privacy policy.
2. Their Data Retention policy.
3. The Data Security policy and what type of HIPS (Host Intrusion Prevention System) they have. (hint, she didn't know what that was.
4. Their patching policy. To which she answered "we don't patch them, we keep them safe by being off the internet".
I really doubt they have a total gap between a pure-internal system and the internet. They also do have outside IT support so people come in to work on it. What about their data destruction policy if they replace a machine or a drive? I could go on and on.
I hate to do this, but FTers and other travelers should know that this hotel is storing enough information to allow hackers to commit various types of identity theft. Not at all accusing their staff, but botnets, maintenance releases (some commercial software has had viruses or trojans). At some point, even if the management doesn't know or understand the details (and why should they, they're not IT), that machine is exposed to the outside world.
Oh, the manager told me that the policy is if someone objects, they then instead do a "visual verification" of the ID. Except their staff hasn't been trained to know that or even to understand that there are good reasons why someone should object. So the very nice helpful clerk demanded it and gave me no choice if I wanted to stay there.
Fraud warning going on my cards after this experience.
Great low-end airport hotel otherwise. I've recommended it before, and was planning more stays there. Cheapest mid-week park-n-fly in the area.
But it's off-limits as far as I'm concerned while they have this dangerous policy.
Last night I stayed there after a late arrival to DEN, before driving up the mountain today.
To my surprise, the desk clerk required that I hand her my license, because "we have to scan it and store it in the computer".
What an Identity Theft risk! A small business, with a few computers, no in-house CISSP-certified security experts (not that I'd expect that). Much larger businesses with huge Information Security departments and dedicated full-time 24/7 IT support have been hacked and had personally identifiable information/customer sensitive information stolen. TJ Maxx parent company TJX. Heartland Data Systems, one of the largest Credit Card Processors in the country.
It was 1am, I was dead tired from 6 weeks on east coast time so it felt like 3am, and it was already well-past chargeable no-show time. So against my better judgement, I checked in anyway, though let the (very nice but clueless about the issue) clerk know my opinion and asked she notify the manager.
This morning I spoke with the GM. She claims the owner decided this was a good idea. He had spoken with some other (not local Aurora/Denver) Police Department about how they'd had an investigation and a hotel was able to not only verify a guest reservation/check-in, but confirm the photo/DL and send it to the police.
I demanded that they send me within a week the following:
1. Their (the hotel's, not Choice's) Privacy policy.
2. Their Data Retention policy.
3. The Data Security policy and what type of HIPS (Host Intrusion Prevention System) they have. (hint, she didn't know what that was.
4. Their patching policy. To which she answered "we don't patch them, we keep them safe by being off the internet".
I really doubt they have a total gap between a pure-internal system and the internet. They also do have outside IT support so people come in to work on it. What about their data destruction policy if they replace a machine or a drive? I could go on and on.
I hate to do this, but FTers and other travelers should know that this hotel is storing enough information to allow hackers to commit various types of identity theft. Not at all accusing their staff, but botnets, maintenance releases (some commercial software has had viruses or trojans). At some point, even if the management doesn't know or understand the details (and why should they, they're not IT), that machine is exposed to the outside world.
Oh, the manager told me that the policy is if someone objects, they then instead do a "visual verification" of the ID. Except their staff hasn't been trained to know that or even to understand that there are good reasons why someone should object. So the very nice helpful clerk demanded it and gave me no choice if I wanted to stay there.
Fraud warning going on my cards after this experience.
Great low-end airport hotel otherwise. I've recommended it before, and was planning more stays there. Cheapest mid-week park-n-fly in the area.
But it's off-limits as far as I'm concerned while they have this dangerous policy.
Sep 27, 2009, 4:29 pm
#2
Join Date: Jun 2005
Location: Huntsville, AL
Programs: DL DM 1.929MM, Hilton Lifetime Diamond, IHG Platinum, Avis CHM, Marriott Titanium (lifetime gold)
Posts: 7,856
To my surprise, the desk clerk required that I hand her my license, because "we have to scan it and store it in the computer".
What an Identity Theft risk! A small business, with a few computers, no in-house CISSP-certified security experts (not that I'd expect that). Much larger businesses with huge Information Security departments and dedicated full-time 24/7 IT support have been hacked and had personally identifiable information/customer sensitive information stolen. TJ Maxx parent company TJX. Heartland Data Systems, one of the largest Credit Card Processors in the country.
What an Identity Theft risk! A small business, with a few computers, no in-house CISSP-certified security experts (not that I'd expect that). Much larger businesses with huge Information Security departments and dedicated full-time 24/7 IT support have been hacked and had personally identifiable information/customer sensitive information stolen. TJ Maxx parent company TJX. Heartland Data Systems, one of the largest Credit Card Processors in the country.
I think I would have either walked and demanded a cancellation, or would have paid in cash. They have no legal right to scan and store your government issued IDs.
No way am I gonna let some hotel scan in my DL in these days!
David
Sep 29, 2009, 6:24 pm
#4
Join Date: May 2006
Location: BOS and ...
Programs: UA 2MM, AA 600k, DL 500k, Hyatt GP 1M, HH Gold, Rad. Gold, CP Gold, Miracle Fruit-su Club
Posts: 9,950
I've actually had this happen, too. It was at one of the Choice Hotels up on the Olympic Peninsula, and I was dead tired like the OP, but I was flat-footed and my red flag didn't go up. My reaction was, "Meh?" I haven't even thought of it again until now. I can't even remember which hotel it was. Ohhhh, man..... ^
(And now would come the ^ argument from those who had no problem giving all their info to Clear, if many watched this board.)
(On the other hand, I guess, after years of leaving my passport with the front desk people at European hotels, they could have done anything with it. Which doesn't thrill me, either.)
********************
Make that two: QI Port Angeles and QI Sequim.
(And now would come the ^ argument from those who had no problem giving all their info to Clear, if many watched this board.)
(On the other hand, I guess, after years of leaving my passport with the front desk people at European hotels, they could have done anything with it. Which doesn't thrill me, either.)
********************
Make that two: QI Port Angeles and QI Sequim.
Last edited by Firewind; Sep 29, 2009 at 6:30 pm
