News Stay informed about the latest enterprise technology news and product updates.

Marriott timeshare unit reports lost tapes

A division of hotel and travel company Marriott International Inc. divulged this week that it lost tapes containing data on 206,000 customers.

Marriott Vacation Club International (MVCI), the vacation ownership division and subsidiary of Marriott International Inc., had a nasty Christmas Eve surprise for 206,000 of its customers: a report that backup tapes had been lost containing sensitive personal data, including Social Security numbers, and bank and credit card numbers.

MVCI released a press release Dec. 27 reporting that the tapes had "disappeared" from the corporate office in Orlando Fla., -- in mid-November, according to some reports. The company said that the letter to affected customers and associates had only gone out Dec. 24 because they were first trying to find the tapes, and then conducting an investigation to figure out what data was on the lost cartridges.

Related articles

Effective storage security policies

Best practices for off-site storage


How to stop data thieves and old bad habits

Securing the tape custody chain

It was unclear how many tapes were lost, or how they were lost; the company does ship its tapes off site, but MVCI corporate spokesperson Ed Kinney said that the tapes were not lost by a courier or off-site storage firm.

According to an official statement on the company Web site, "MVCI will be reviewing its policies and practices around the storage of customer and associate data to ensure that sensitive data is only stored where absolutely essential." Kinney declined to give further details on what steps MVCI is considering to strengthen data security.

The company sent four separate letters to all its customers: one indicating the customer's credit card number was among the data lost on the tapes; one for Social Security numbers; one for bank account numbers; and one letter to unaffected customers. Customers whose data fell into multiple categories were sent multiple letters.

MVCI said it had also notified state and federal officials, credit card companies, credit reporting agencies and the U.S. Secret Service of the loss.

The company has also established a special contact telephone number, (800) 952-8145 and a Web site, or impacted individuals may e-mail the company here.

Finally, MVCI is offering free credit-report monitoring with Intersections Inc. The service includes a three-bureau credit report, and assistance reviewing the report and placing a fraud alert. The company had previously enrolled customers with identity theft insurance, and mentioned in its letter to impacted individuals that they were eligible for up to $2,500 in financial reimbursement, with a $250 deductible for certain expenses associated with identity theft.

A high-profile problem in 2005

Data security, and the loss of tapes containing sensitive information, was a hot topic this past year, after a lengthy list of companies, including CitiFinancial, Bank of America Corp. (See Banks mull data security in wake of missing tapes, March 1 and Tape Caper: Users split on data security options, June 9).

In response to concerns about data security, legislation has been enacted in several states this year, including New York, Nevada and Texas, requiring disclosure of security breaches and hefty penalties for noncompliance. A nationwide version of the state regulations, the Specter-Leahy Act, is currently being debated in Congress. See also Privacy expert calls for action on Specter-Leahy bill, Dec. 12.

In the wake of security concerns, the industry has been pushing the encryption of data throughout its lifecycle, including tapes taken off site. Many security breach laws, such as the one passed in New York, provide an exemption for companies whose tapes are encrypted. Off-site storage vendors, such as Iron Mountain Inc., have also begun offering encryption services to customers.

Dig Deeper on Tape backup and tape libraries

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.