Not something I’d typically pay much attention to when booking, but in this case I was so bloody annoyed by the rubbish response and the complete lack of follow up from the Marriott Data Protection Office, that I decided to both cancel my reservation and write this blog post.
By means of a little bit of background, I’m off for a weekend away to Sao Paulo and was looking for somewhere to stay. A very good friend with local knowledge recommended staying at the Marriott Renaissance hotel there, so that’s what I booked.
I was looking to contact the hotel to book a pick-up from the airport as after a twelve hour flight from the UK, didn’t want to deal with navigating an airport that I’ve never been to before, especially in a country where one has to be a little more cogniscent of one’s personal safety.
Nowhere on the website is an email address. Just a telephone and a *fax* number. Because we’re in 2018, that’s really how people want to communicate with a hotel.
So I tried tweeting the Marriott social media account for contact details. Zero response.
After a bit of a google, I found the Brazilian reservation team’s email address, so dropped them a message. A few hours later they got back in touch asking me to email this:
Yes, a global hotel brand is using a Yahoo email address.
I’m not sure where to start here. But let’s just think about the details that are going to get emailed there. People’s hotel confirmation numbers, names, addresses, telephone numbers, flight details and goodness knows what else.
Who has access to that email address? Are they Marriott employees? Are there any corporate controls around who has access to that data. This is all before I’ve mentioned the magic acronym, GDPR.
So, being the upstanding IT corporate citizen that I am, I emailed their Data Protection and Privacy email addresses. A couple of days later, I got the following email back.
Thank you for your email. We have spoken with the property involved and have confirmed that the transportation contact is a legitimate third party used for various transportation services. As stated in the “Disclosure of Personal Data and Other Data” section of Marriott’s Global Privacy Statement, Marriott International and its properties may leverage Strategic Business Partners, like this transportation service, to offer goods and services that may be of interest to our guests.
Strategic Business Partners. We disclose Personal Data and Other Data [including name and email address] with select Strategic Business Partners who provide goods, services and offers that enhance your experience at our properties or that we believe will be of interest to you. By sharing data with these Strategic Business Partners, we are able to make personalized services and unique travel experiences available to you. For example, this sharing enables spa, restaurant, health club, concierge and other outlets at our properties to provide you with services. This sharing also enables us to provide you with a single source for purchasing packages that include travel-related services, such as airline tickets, rental cars and vacation packages.
That being said, we respect your concerns and have asked the General Manager of the property to work with you directly to resolve your transportation needs. You should hear from them soon.
If you have additional questions or concerns, please do not hesitate to let us know.
I was pretty surprised to say the least. I replied with the following message.
Firstly thanks very much for taking the time to respond to my email. I understand that you are able to use “strategic business partners” to disclose my data, however that does not absolve you of your rights and responsibilities under the EU GDPR directive.
Please can you explain how the use of a Yahoo email address complies with your obligations as a data processor and controller? Please can you explain how you will safeguard my data? How will you comply with a disclosure request? How will you delete my data if requested? How will you ensure that my data isn’t accessed by an unauthorised person?
In summary I am very concerned by your response and would like to understand answers to these questions, as I believe that a formal complaint to the UK Information Commissioner may be necessary.
As of the time of writing this article, a week later, I’ve had no response to my queries.
So I cancelled my reservation and emailed the hotel, and the Data Protection teams telling them why.
The “Delighted to Serve” manager at the hotel emailed me back with this:
Data Protection team contacted us about your concerns.
As a Marriott hotel, we have always felt a tremendous responsibility to ensure the safety and wellbeing of our guests, as well as it is our intention to provide memorable experiences to our valuable guests.
Allow me to apologize on behalf of Marriott International for any inconvenience caused.
Please note that we have used this third party company for a long time, but your comments have raised an important matter to our attention. Therefore we are indeed requesting them to create their own domain in a new and safe platform.
So why the concern from my part? I like hundreds of thousands of others was hit by the British Airways data breach. My credit card details, CVV, and home address are now for sale on the dark web.
There have been anecdotal reports of burglaries linked to the British Airways data theft, as if you know when someone is taking a flight and you know their address, there’s a high likelihood that they won’t be home for a few days to notice if the place has been turned over.
A compromised Yahoo email address with a treasure trove of data such as this, is also a perfect place to conduct scams from.
So the fact that Marriott corporate haven’t bothered to respond to my questions about a key issue is a pretty poor state of affairs.
Until companies realise that they have to protect our data properly, as the law in Europe demands, then they don’t deserve my business. In this case, the Marriott Renaissance in Sao Paulo won’t be getting mine.