Moriens

As mentioned in this thread, the Starwood website makes a lot of information about some guests available to Google, including their name, (usually home) address, phone number, email address, SET code (if they use one), SPG number, and final credit card digits, along with detailed travel plans (property, stay dates, room type, number of travelers, rate paid or Starpoints used).

This affects a small number of guests at a time, but anyone's information could leak to Google if their reservation is bookmarked anywhere visible online. It isn't protected by any password.

For example:

• K.B. prepaid a premium deluxe room at the Westin New York Times Square for USD 224. She checked in at 5:15 AM.
• S.C. used Booking.com to reserve a room at the W New Orleans for USD 204.
• A.F. booked a room at the Westin San Francisco Market Street using a corporate rate, but cancelled.
• S.G. booked a room at Le Westin Montreal with a Visa at the CAA rate, CAD 263.
• A.H. redeemed Starpoints to book a room at the Sheraton Orlando Downtown.
• W.J. stayed in a harbor view room at the Sheraton Hong Kong Hotel & Towers for HKD 3,525 a night. The stay earned StarChoice credit.
• Y.L. redeemed Starpoints to stay at the Westin Atlanta Airport.
• I.M. stayed at the Sheraton Norfolk and paid a corporate rate using AmEx.
• J.P. booked a room for two adults and one child at the Westin Grand Cayman for the AARP rate, USD 529.
• P.R. got a deluxe room at the Sheraton Wilmington for the AAA rate, USD 184.
• H.S. prepaid with a VISA for a golf/mountain view room at the Westin Maui at the Early Bird promotional rate, USD 239 + USD 31.25 resort fee. She applied Suite Night Awards (which haven't cleared yet) to request a premium suite.
• S.S. reserved a room at the Four Points LAX at the AARP rate, USD 92.65, but cancelled the reservation.

This isn't just a travel and credit card issue. Even if someone cancels their reservation, the data is still in the Google index, so someone can Google an email address and get a home address.

Starwood isn't doing anything about the problem. I'm not sure if any of these travelers know their private information got posted online. All their phone numbers and emails are part of Starwood's privacy violation. It doesn't seem right for random Internet people to start calling or emailing them, but it seems wrong to leave them in the dark about it.

Does anyone have a suggestion on what to do about this? If Starwood posted your phone, email, and address online, how would you want to hear about it? And from who?

Thanks for any advice, and I'm sorry about repeating myself on this forum.

travelswithmyself

Sl OT, does anyone with knowledge of website coding etc know how this happens?

How is Google able to trawl a supposedly secure webpage? Is it shoddy coding, or is this something Google can do to any other website, and it depends on the website to contact Google to "clear the cache" so to speak?

SamOF

Not only can you see everyone's info, but it's pretty clear you could go through changing and cancelling reservations at will.

Bad form, Starwood.

TallestHotelInJapan

Thanks for warning us. How can we find our information?

Moriens

Like most hotel chains, Starwood lets people without SPG accounts access their reservations using last name and reservation number, because they don't have any other password set up. This is normal for the industry.

Starwood still uses last name and confirmation number as a kind of back door into reservations by SPG members. This is bad (security) policy, and the website should ask SPG members with online accounts to log in before viewing reservation details. I don't know why Starwood doesn't do this. Maybe they want assistants to access executives' individual bookings, but not their Starpoint balances?

When you look up a reservation, the Starwood site echoes all your information back to you unredacted (except for the first part of your credit card number). This is just a bad idea. You know what your own address is.

When you look up a reservation using your last name and confirmation number, on top of not asking for a password, the website puts those details in the URL of the page you see. (They use the HTTP GET method instead of POST.) This is shoddy coding, because anyone who sees that URL anywhere (as a bookmark or a log entry or something) can access your reservation. (The sensitive details show up after the question mark in the URL in your browser's address bar. This is bad.)

Moriens

Most likely yours isn't there. This is only a problem for a few guests at a time.

If you want to take the risk, Google your numeric SPG number, or the email address you use for SPG if you don't mind Google storing that search. (Obviously, delete Google's cookies, including DoubleClick, before and after you do this.)

(If your email address is found in many places on the web, add site:starwoodhotels.com to your Google search.)

TallestHotelInJapan

Oh, I did the google search and lucky me, my email address does not show up at all! And yet, it seems to be a serious breach of data and security!

travelswithmyself

Moriens, thank you for the detailed explanation. At least I now have a bit more knowledge about how this happened.

I am going to link your post to the "main thread" which is

http://www.flyertalk.com/forum/starw...nvelope-6.html

because the Lurkers have posted an official response saying they have cognisance of the matter. Hopefully your details will help the "IT Team" get their act together.

eyeballer

Well we have their emails/phone numbers/addresses so that takes care of the "how to notify."

Joking aside, this is a pretty poor show from the IT dept at Starwood, I wonder how many other businesses are susceptible to search engine crawling.

jammanxc

Looks like Starwood IT has responded and they started shielding the confirmation from guests:

PICS here: http://bit.ly/14HoPml