My Starwood Account Was Compromised: More Details — and What Happened
E arlier today, I reported that my Starwood Preferred Guest frequent guest loyalty program account was compromised, with the Starpoints I earned wiped out of the account. Here is the story of how I found out about it; as well as what I did about it.
I checked my e-mail account as I usually do; and the first thing I saw was a message titled Enjoy Your Gift Certificate. “Great”, I initially thought, thinking that perhaps there was some kind of promotion or something where maybe I received a gift certificate for some small amount which I could enjoy somewhere…
…but then I scrolled down and found two additional e-mail messages with that title; as well as four e-mail messages titled Your SPG Account has been Updated — two of them which contained the following text:
We noticed that the contact information on your SPG® profile has been updated. If you made this update, you don’t need to do anything more. If you didn’t make this change — please contact your nearest SPG Customer Contact Center as soon as possible.
…and two which contained the following text:
We noticed that the web security (password and/or security questions) associated with your SPG® profile has been updated. If you made this update, you don’t need to do anything more. If you didn’t make this change, please contact your nearest SPG Customer Contact Center as soon as possible.
I then had this sinking feeling in my stomach, thinking “Uh oh. This cannot be good…”
In the succession of e-mail messages, among the items for which my Starpoints were redeemed were gift cards for Nordstrom and Starbucks. I had not shopped at a Nordstrom location in years — I cannot stand shopping for clothing or most anything else, for that matter — and I do not drink coffee; nor would I consider redeeming frequent travel loyalty program miles or points for gift cards.
I then attempted to log into my Starwood Preferred Guest frequent guest loyalty program account using my user name and password — only to find the following message:
We cannot locate this Starwood Preferred Guest account. Please correct any errors and click the “Sign In” button again, or contact us and we will be glad to help.
Here is the transcript when I first used the on-line chat option — and I converted the name of the representative to initials to protect the privacy of that representative:
R.S.: Thank you for using Starwood Preferred Guest Click-to-Chat, my name is R.S.
R.S.: Hello Brian, I am happy to help you today.
Brian: Thank you.
R.S.: In order to assist you, for security reasons, may I ask you for the verbal password on your account?
R.S.: Thank you Brian, can you please give me one moment while I access your account?
R.S.: Brian, can you think of any other verbal passwords on file?
R.S.: Brian, are you still available?
R.S.: I apologize, it has been more than four minutes since I last heard from you. It appears you are not available at this time, or you have left your work station.
Feel free to contact us again should you require further assistance.
R.S. has exited the session.
You are the only user left in the session.
Brian: I believe my password was changed.
I had stepped away for a moment because something else required my attention — but the session ended; so I used the on-line chat option again:
Brian: My account was compromised. My password was changed, my Starpoints wiped out, and my account inaccessible.
T.K.: Thank you for using Starwood Preferred Guest Click-to-Chat, my name is T.K.
May I please have your Starwood Preferred Guest membership number?
T.K.: Thank you. One moment please while I check your account.
Brian: Thank you,
T.K.: I see there was quite a bit of activity on the account today. May I please get you to confirm your address please?
T.K.: I am seeing a different address?
Brian: My address and password were apparently changed.
T.K.: One moment please, while I check into your account a bit further.
Brian: Thank you.
T.K.: I will send out an inquiry right away to our program services department and have them look into the account. It appears your e-mail address was not changed. I will have them contact you directly. One moment while I contact that department.
Brian: Thank you. I will be here.
While I was waiting, the chat ended with the following message:
Unable to connect to the application server. This may be due to a firewall or network connectivity issue. Please try reconnecting later.
I could not reconnect with the chat again using either the Safari or Firefox Internet web browsers; so I called the toll-free telephone number and spoke to a representative. She informed me that my Starwood Preferred Guest frequent guest loyalty program account was indeed flagged and brought to the attention of the account integrity department. My address was changed to an address located in Canada; and the user name was changed to a Google Mail e-mail account name. I have that e-mail address — as well as the “business name” which was added to my account — but I prefer not to publicize it here similarly to how those who seek attention at sporting events are not broadcast on television with their antics.
Fortunately, the person or people who compromised my Starwood Preferred Guest frequent guest loyalty program account did not change my e-mail address so that I was able to receive the aforementioned messages alerting me of the activity: the representative told me that there was one other case to her knowledge which was reported of someone who was wiped out of nearly 400,000 Starpoints and had all of her information changed — including her e-mail address.
The representative stayed on the telephone with me until I received the e-mail message with the user name that the person or people used; along with a temporary password. She assured me that the redemptions for the gift cards were in the process of being canceled. I suppose this is one reason why up to six weeks need to be allowed before the gift cards are delivered. Immediately after that, I accessed my account and changed my information to the correct information — and lo and behold, my Starpoints were restored.
Shortly after that, I received this e-mail message from a member of the account integrity department, which contains some useful advice:
As a valued member of the Starwood Preferred Guest® (SPG®) program we are writing to inform you that we recently became aware of a potential unauthorized entry into your SPG® account. Starwood Hotels & Resorts® makes the privacy and security of our guests’ personal information a priority.
All the misused points have been re-instated to your account.
At your convenience, if you have not already done so, please login and update all of the access information listed below which can be found under My Profile in the My Account section:
- Web password
- Security question / answer
- Verbal password
Please also ensure all of your contact information including mailing address, telephone number and email address is correct.
We regret any inconvenience or concerns this incident may cause. Please be assured that we are taking these actions because we are committed to upholding the highest business standards and practices in processing and securing customer information.
We want to remind our SPG® members to please take proper precautions to help secure against unauthorized access to your SPG® account.
We recommend that you:
- Do not use your email address as your web login id.
- Use a complex password and regularly update it.
- Use different log in credentials on SPG.com than you use on other websites.
- Always check your account regularly.
- Promptly report any potential suspicious activity to us.
If you prefer to have a new SPG® account and number, please enroll at SPG.com and advise us of the new account number via return email at which time we will merge the old account into the new one.
Although the recommendations listed above are indeed sound advice, there is not much you can do if the person infiltrating your account is technologically savvy and determined. Unlike the Hilton HHonors, InterContinental Hotels IHG Rewards and United Airlines MileagePlus frequent travel loyalty programs which use personal identification numbers with four digits, the Starwood Preferred Guest program allows for its members to use more complex passwords — and yet this still happened.
By the way, I manage all of my frequent travel loyalty program accounts manually; and I use different passwords for each of them.
I was not worried that I would never again see the Starpoints I earned; but the situation was indeed an inconvenience.
Perhaps this incident was merely coincidence — or maybe I was targeted due to reporting on similar account breaches with Delta Air Lines SkyMiles, American Airlines AAdvantage, United Airlines MileagePlus and Hilton HHonors. I do not know. Then again, the account of one of my credit cards was compromised last month; and in this article, I give a detailed report on how to attempt to prevent that and identity theft from happening to you — as well as what to do if it does happen to you.
Apparently I am not the only person to which this has happened, as I found a discussion where this has happened to FlyerTalk members recently.
All I know is that the proliferation of unauthorized access to the frequent travel loyalty program accounts of unsuspecting members appears to have increase significantly. I only hope that the companies which maintain these programs become more proactive in protecting those accounts — thereby saving time, money and effort while reducing inconvenience for all involved.
Better yet: it would be preferable if those who are responsible for these acts could use their knowledge of technology for beneficial improvement instead of stealing the frequent travel loyalty program miles and points from members who worked hard to earn them.
Hopefully this article was helpful to you — and that your frequent travel loyalty program miles and points are indeed intact after you have checked on your accounts…