Honors account information security data breach
#16
Join Date: Jul 2003
Location: Salish Sea
Programs: DL,AC,HH,PC
Posts: 8,974
I hope Epsilon doesn't even have the capability of storing more data even if its clients are dumb enough to send it.
Incidentally, ever notice the HHonors log-in page is not SSL ?
#19
In Memoriam
Join Date: Feb 2000
Location: Easton, CT, USA
Programs: ua prem exec, Former hilton diamond
Posts: 31,801
The compromised data shouldn't include CC information. Epsilon is a mass-mailer service, they'll have email addresses and probably names (first only ?) so the worst that's likely to happen is you get a phishing or infected e-mail.
I hope Epsilon doesn't even have the capability of storing more data even if its clients are dumb enough to send it.
I hope Epsilon doesn't even have the capability of storing more data even if its clients are dumb enough to send it.
Epsilon has access to way more than the email and first name. Way more.
#21
Join Date: Jun 1999
Location: Somewhere
Posts: 1,230
A few years ago they used to run the most of the HHonors site, not sure if that's still the case but if so they do have access to more than just email. I do think the letter was a weak apology and probably the result of a legal review.
#24
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,855
I hope Epsilon doesn't even have the capability of storing more data even if its clients are dumb enough to send it.
Incidentally, ever notice the HHonors log-in page is not SSL ?
https://secure.hilton.com/en/hhonors/login/login.jhtml
Same here. US Bank was the first email on Friday. Since then I have received emails from Citi and Chase. No Hilton (yet).
#27
Join Date: Oct 2003
Location: YYZ
Posts: 1,629
This is a clear breach of their privacy policy, in particular:
Obviously appropriate measures were not taken or there never would have been the breach!
Protecting Personal Information
Hilton will take appropriate measures to: (i) protect personal information collected against unauthorized access, disclosure, alteration or destruction,
Hilton will take appropriate measures to: (i) protect personal information collected against unauthorized access, disclosure, alteration or destruction,
#28
Moderator: CommunityBuzz!, OMNI, OMNI/PR, and OMNI/Games & FlyerTalk Evangelist
Join Date: Nov 2000
Location: ORD (MDW stinks)
Programs: UAMM, AAMM & ExPlat, Marriott lifetime Plat, IHG Plat, Hilton Diamond
Posts: 23,507
I used to offer 'breach insurance' to my clients when I was with a previous employer. While a number of breaches were due to employee stupidity (left laptop in plain sight in car while running into Starbucks in the morning, or a flashdrive that wasn't cleared properly), there were a number that were caused by 'professional' hackers on companies that had numerous safeguards in place. Breaches will happen and continue to happen, how a company responds is what will set a company apart and maintain the customer's trust.
#29
Suspended
Join Date: Jan 2002
Location: LAX
Programs: AA Gold
Posts: 2,741
http://hhonors1.hilton.com/en_US/hh/home_index.do
The page that notquiteaff linked I'd only see when I enter my account number incorrectly, and I would always just close out of that page. But I've now bookmarked notquiteaff's link and I'll be using that from now on.
FWIW the homepages for SPG.com and AA.com where I log in from are also NOT secured. notquiteaff - got a secure link for them?
Back on OT, I also received the email this afternoon but I'm not worried. If Epsilon was connected to my airline accounts I would be though - big time.
Sure my cc number is at Hilton, but I don't worry about that all. Being "robbed" by fraudulent cc usage is the one theft I wouldn't mind because I'm fully protected by the credit card's policy against fraud.
However, what I do worry about is ID Theft, having been a victim of it before. Someone had my name and SSN and was able to open a cell phone account which (not surprisingly) the thief never paid. They opened it under my name and SSN but with a different address so I never received any of the bills. It wasn't until it went to a collection agency who then tracked down my real address via my SSN that a notice was ever sent to me.
So the fact that airlines now have not only my name and address, but thanks to the Secure Flight policy, my DOB - if those accounts were breached ID thiefs would have a real leg up to wreak havoc with ones credit rating....
#30
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,855
Interesting, in agreement with Wally Bird, I've noticed for sometime that logging in to Hilton is with an unsecured URL. I've had bookmarked HH's homepage and that's where I've always logged in:
http://hhonors1.hilton.com/en_US/hh/home_index.do
The page that notquiteaff linked I'd only see when I enter my account number incorrectly, and I would always just close out of that page. But I've now bookmarked notquiteaff's link and I'll be using that from now on.
FWIW the homepages for SPG.com and AA.com where I log in from are also NOT secured. notquiteaff - got a secure link for them?
http://hhonors1.hilton.com/en_US/hh/home_index.do
The page that notquiteaff linked I'd only see when I enter my account number incorrectly, and I would always just close out of that page. But I've now bookmarked notquiteaff's link and I'll be using that from now on.
FWIW the homepages for SPG.com and AA.com where I log in from are also NOT secured. notquiteaff - got a secure link for them?
Similar for SPG - the login screen on the home page itself may not be secured (I didn't check if it actually posts to an Https URL though), but if you click on the login link, you get
https://www.starwoodhotels.com/prefe...t%2Findex.html
AA is left as an exercise to the reader