More than 200,000 individuals have suffered potential identity theft at Marriott Vacation Club International (MVCI), the time-share division of hotel chain Marriott International. The company announced on December 27 that it had lost track of data backup tapes containing the personal data of approximately 206,000 employees, timeshare owners, and time-share customers. This data includes credit card details, social security numbers, and bank account information, according to Marriott.
MVCI has notified federal authorities and is investigating how the backup tapes disappeared from its Orlando headquarters. It is not clear how the tapes went missing, according to MVCI's statement; therefore, theft is just one of several possibilities. The company has also expressed remorse over the situation, and has offered a remedy for anyone who may have actually been victimized. "We regret this situation has occurred and realize this may cause concerns for our associates and customers," MVCI president Stephen Weisz said in a statement. "We have recently mailed notifications to associates, timeshare owners, and timeshare customers, and are available to answer any questions they may have." MVCI has provided email, phone, and Web options for getting more information and enrolling in a credit monitoring service that Marriott will pay for. Other than these actions, there has been no further word at press time from Marriott.
While there has been considerable focus on the information security aspect of this situation, the truth may be more basic than that, according to Ian Jacobs, strategic analyst, contact center/CRM growth service at Frost & Sullivan. "We're talking about physical security here, not about data security," Jacobs says. If backup tapes with sensitive data are left in such a way that they can be stolen or misplaced, Jacobs suggests, the issue is poor control of the location.
Jacobs also expresses concern about Marriott's response to the possibility that more than 200,000 people have been exposed to potential identity theft. "A snail mail warning isn't timely enough, especially at a time of year when the post office is slow and there are blacked-out mail days," Jacobs adds. "If credit theft is happening, it's probably going to happen fast. The company has the phone numbers and email addresses of its associates and customers, so waiting to make an announcement or using postal mail are poor responses."