Marriott loses track of sensitive data
By Michael S. Rosenwald
Washington Post
WASHINGTON — Marriott International Inc.'s time-share division said yesterday it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company.
Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, were stolen from the company's Orlando, Fla., headquarters or were simply lost.
An internal investigation produced no clear answer. The company notified the Secret Service over the past two weeks, and has also told credit card companies and other financial institutions about the loss of the tapes.
The company began sending letters to time-share owners and customers Saturday, and issued a press release about the loss yesterday. Company officials said they delayed making the matter public until they had researched what information was on the tapes and who it affected, and determined the issue was sensitive enough to warrant a broad disclosure.
"At this point, we are taking all things into consideration," company spokesman Ed Kinney said. "The tapes may have been taken, but they could have been misplaced. We're still investigating the situation."
The Vacation Club has told time-share owners, customers and the division's employees to be on the alert for changes to their credit histories or accounts. So far no one has reported any misuse, Kinney said. Those affected have been offered free credit monitoring services.
"We regret this situation has occurred and realize this may cause concern for our associates and customers," said Stephen P. Weisz, president of Marriott Vacation Club International, a wholly owned subsidiary of the Bethesda, Md., hotel chain. The company has more than 280,000 families using its time-shares worldwide.
The loss of Marriott's tapes is the latest in a series of high-profile security lapses involving data that can be used in identity theft schemes. In 2005, there were at least 134 data breaches affecting more than 57 million people, according to the Identity Theft Resource Center, a California nonprofit.
Last February, ChoicePoint Inc. disclosed that it had released thousands of reports containing names, addresses, Social Security numbers and financial information to people posing as officials in legitimate insurance, debt-collection and check-cashing businesses. In June, MasterCard International said that Card Systems Solutions, which processes credit card transactions, had been hacked and that 40 million people had their credit card information exposed.
Even high-security defense companies have been victimized. In January, thieves stole computers from Science Applications International Corp. of San Diego that contained personal data on thousands of current and past employees, including former military and intelligence officials.
It is not clear how many cases of identity theft have been caused by the data breaches. However, there are now about 10 million cases of identify theft a year, with total losses of $53 billion, said Robert Douglas, a Colorado privacy consultant and chief executive of PrivacyToday.com.