Hotels: Ritz-Carlton customers' data stolen in hack attack

The Ritz-Carlton chain, headquartered in the USA centralises data collected at all of its hotels, including franchised outlets such as the Ritz-Carlton in Kuala Lumpur, Malaysia, run by local conglomerate YTL.

The Ritz-Carlton uses e-mail addresses collected during booking for, inter alia, marketing. But even if the customer unsubscribes from the marketing material, The Ritz-Carlton does not delete that user's information from its mailing list. Indeed, the unsubscribe process specifically says that the company may continue to send correspondence that it deems to be of interest the the customer.

As a result, the company has a vast list of visitors' e-mail addresses. Yesterday, it used the list, including those who had unsubscribed, to inform them that their data had been compromised when the company to which Ritz-Carlton had outsourced its marketing e-mail distribution, Epsilon, had been the subject of a large-scale hacking and data-theft a few days earlier.

Headed "An important message to our customers", the e-mail from Ritz-Carlton says that "We were recently notified by Epsilon, a marketing vendor The Ritz-Carlton Hotel Company uses to manage customer emails, that an unauthorized third party gained access to a number of their accounts including The Ritz-Carlton email list. We want to assure you that the only information obtained was your name and email address. Your account and any other personally identifiable information are not at risk."

Of course, that is not entirely true: as criminals gain more and more e-mail lists and are able to collate and analyse the data they have - and to cross-reference it to publicly accessible data - then the opportunity for detailed information to come into the hands of criminals is obvious. It's not difficult: if someone is sufficiently technically competent to hack a large company's supposedly state of the art security (and this is not a dig at Epsilon - they are merely the latest in a long line of large companies to find that there are illicit ways into their systems and they will not be the last) then to write a script for performing such analysis and cross referencing will be simple.

Ritz-Carlton adopts a somewhat odd perspective. It says in its e-mail "In all likelihood, this will not impact [upon] you."

That's obviously not so: there is value even in a list consisting of nothing other than e-mail addresses. And criminals do not steal them, and spammers do not buy them, unless there is value. And that value is the ability to send fraudulent or otherwise undesirable (including unsolicited commercial mail) to those whose addresses are on the list.

It goes on "However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that The Ritz-Carlton does not send emails requesting customers to verify personal information."

The e-mail is not signed by any individual, which does not suggest that this issue was deemed worthy of a high-level response. So when the note says "We take your privacy very seriously. The Ritz-Carlton has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologise for any inconvenience," that seems a little hollow.

More importantly, the system raises the question as to how Ritz-Carlton gathers this information and claims to be entitled to use it.

One Ritz-Carlton customer who received the mail told ChiefOfficers.Net "I booked into a Ritz-Carlton once using a third-party booking service with which all correspondence took place. I never, ever, give a hotel my e-mail address when I check in. Therefore the Ritz-Carlton has taken information given to the booking service and put it into its own marketing service. That raises questions as to that most basic of data security issues: who has control over my data. So far as I am concerned, it should never have been Ritz-Carlton."