KosherKimchee

Domestic Sheraton property, front desk supervisor emails every guest in hotel about a non-critical facility issue. Doesnt use BCC and therefore all guest's names and email addresses are made available to all -- seems like a massive privacy breach and security issue. I'm pretty pissed but at the same time, I'm sure this person was just clueless and dont want to cost her a job. Thoughts?

MSPeconomist

Maybe it should cost the supervisor her job; this mistake is something that really cannot be undone. One reason I stay in USA chain hotels is that they are much more likely to have strict rules about things like never announcing my room number aloud. In the case of this email, you have proof of what was done and who did it, so the hotel cannot deny that this happened, nor can the supervisor deny it unless she has given someone else access to her work email account, which presumably would violate policy too. This is probably a big hotel and you have no way of knowing who might be among the other guests that received the email with your personal information.

Moreover, if the names were taking from a room list, the odds are that the emails are listed in order of room numbers, not alphabetical, which could compromise guest safety during their stay. If you suspect that this has happened, you might want to consider a change of rooms, depending somewhat on what you use as your email address (i.e., does your email address include a full female first name or the name of your employer?).

PayItForward

Likely an oversight but needs to be addressed. And if anything, someone else probably had also noticed this and will also be contacting (or already contacted) the property (or corporate) about this. You will just be another concerned guest.

COSPILOT

I can't imagine this was a manager issue, but maybe a glitch with the CRM software used. Alert the hotel manager and let them know. I've yet to interact with a CRM software that I actually like, and is fully integrated (without issues) with Outlook.

RogerD408

Yes, this should be reported and used as a learning opportunity to prevent future occurrences. Termination is not a solution as the lesson learned is lost once she's out the door.

Personally, I use unique addresses as much as I can (i.e. [email protected]) so I can track where the sender got my address. Yes, it can be hacked, but most spammers won't take the time since they are dumping thousands of messages on the net and only need a few responses to make it profitable.

tfong007

A total blunder. My guess is they probably won't be doing that again.

Forstbetrieb

Are you sure? Beside these " normal " things ( like room number and name etc. ) my worst case scenario at a starwood hotel was some years ago a list with all...

Names, room numbers, rates, vip level, roomtypes, confirmation numbers, credit card numbers, id number, e mail etc. in a club lounge on the desk. There was no staff.

When I saw this, I have taken it and have done a little walk to the reception...

Just made the privacy of others...

Oxon Flyer

Maybe a question best answered by a staffer, but is there really a 'not-bcc mail to everyone on the register' function available to front desk staff ? Isn't there any software control to stop this happening ?

JackE

Good point. I've seen at least one e-mail client with pop-ups that say something like "You are copying more than 25 recipients. Click OK to proceed or Click Cancel."

In this case, the one most in need of a lesson learned is the IT manager.

slidergirl

I never saw a function like that. Now, I never emailed a blast myself to lots of guests, but I did send frequently to lots of staff. I know that there are email "blasts" sent by Sales out to past guests to announce a new rate or special event. I do not know how those emails are culled and put into a mailing list.

I always chuckle when I see the "retrain" statements - at the hotels I've worked at, how to email was never a topic taught. Just how much training do you thing Front Desk staff receive before being shoved out to the Desk? I've seen anywhere from a couple of days to learn LightSpeed basics to a week where you are watching another FDA before taking over the terminal. Usually, your training is only as good as how long your "trainer" has been on the job and learned all those little things that are not documented or formally taught. I've had Front Desk Managers who never were FDAs - they were Butlers, Bell Captains, Concierge before they were hired as a Manager. Guess who teaches them??? The existing FDAs...

Sealink

No amount of training will stop someone making a mistake.

They'll probably be disciplined but hopefully won't cost them their job.

Also most of us hotel guests aren't waiting around to get emails so we can spam , visit rooms etc.

There are not bogeymen around every corner.

MSPeconomist

The worst example of this I experienced was at a LC property in Europe, where there was a self-serve printed list at the entrance to breakfast with all of these details about every hotel guest, not just those with lounge access. No staff members were around and the entrance was positioned in such a way that someone could have easily photographed it or copied as much as desired without anyone seeing it happen. It was also a city hotel where nonguests frequently came to breakfast in the beautiful building. I complained, but it was hard to convince management at the hotel that this was a problem in any way.

flyertalker54234

If the email is visible but no other details, I do not regard it as security issue. Since any email contact with a supplier leads,to your email heing sold on I use a separate email account for this purpose with no connections to my personal data. We have reached a decision point as suppliers want more info about us to tailor the customer experience and by holding it are more likely to let it slip imto tue outside world. As I say set up a junk mail account for them and use high level filtering which can block cold spamcasting.

fastflyer

My favorite situation like this was a semi-public web application hosted at my college in the US, where anyone in the "community" (read: anyone) could access a database of alumni names, parents names (including mother's maiden name), past and present addresses, classwork from decades ago, e-mails, dates-of-birth, etc. And this was not an opt-in situation; in order to delete this identifiable information, each alumni had to remove each field via a laborious user interface.

Another example: Florida used to publish a list by county with the name, address, and date-of-birth of every registered voter. DOBs are SSI.

The awareness of what constitutes an information security breach has clearly not reached everyone, especially in government and quasi-government organizations. I support making publication of private identifiable information a felony. At a minimum it should be actionable for tort.