Triangle Trip

Starwood (SPG) needs to learn about security and privacy

by Captain G on Nov.25, 2011, under Hotels



I contacted the Starwood Preferred Guest’s (”SPG”) Platinum reservation line to redeem my Starpoints for a hotel stay. The customer service representative (”CSR”) was friendly as usual but was not able to help me with my reservation and raised a huge security and privacy concern. Before I could complete my Starpoint reservation, the CSR requested for my password to my SPG account. When I told the CSR that I do not recall setting up a password to make Starpoint redemptions or any special types of reservations, she informed she needed my website password to complete my reservation.

After trying for over 10 minutes to explain to the CSR that it would be a security breach if I had given her my password, I decided to ask for a supervisor. All the supervisor  could do was to refer me to Starwood’s corporate policy which required me to provide my personal password to complete the reservation. She also told me that I could make the reservation via spg.com and stop hassling her. The supervisor also didn’t want to provide me a name or number for Starwood to escalate this issue.

I’m also pretty I am not the only SPG member to have raised this security concern to the SPG call center. I am also extremely baffled to have learned how Starwood Corporate has such a lax customer security and privacy policy. SPG needs to learn from Hilton where they only require two pieces of private information (i.e., mailing address and phone number on file) to make a points redemption reservation. SPG also needs to understand that its member’s password may be used on multiple sites. The SPG team should look at the cartoon below and learn more about security and privacy policies (special shout out to Brian Lewis’ blog for providing this cartoon image link).

 
1 Star2 Stars3 Stars4 Stars5 Stars (9 votes, average: 5.00 out of 5)
Loading ... Loading ...


:, , , , , , , , , , , , , , , , , , ,
1 comment for this entry:
  1. Kyle

    I just had a similar experience. They asked for my password, when I wouldn’t give it to them, they asked for my Mother’s maiden name. Apparently I never set that up though. They then proceeded to ask for my address, phone number, email, and last stay with them. That’s enough information to possibly steal an identity.

    How do they not get this?

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...