It's not info on 3.7M users, it's info on 3.7M reservations from 2017.
Hilton has over a million hotel rooms, 3.7M reservations is nothing.
Most likely this data comes from some OTA that was breached.
Edit: I downloaded the actual dump. It only contains 775k unique reservations from approx 450k unique people, the other 3M are just duplicates. All of the reservations are in the US, for only around 35 different properties.
The only PII contained in the dump are Hilton Honors IDs and names, there are no addresses despite the article claiming otherwise.
And really, that's not PII then. If it can be combined with other public data to further identify people, then it might be PII, but by itself it's really not much. I might be fuzzy on my PII trainings as they're a bit dated, but names and internal IDs are generally not considered personally identifying IIRC.
> Most likely this data comes from some OTA that was breached.
What do you mean here? I take OTA to mean "over the air," but I'm struggling to see the connection to this breach. Were reservations being transmitted by radio/satellite?
A third party booking site like travel.com or Priceline.com used to book hotels and airlines instead of booking directly. I never use third party sites.
Am I the only one who never gives out their real phone number? I give the same fake one to every single business that asks for it, including CC verification stuff on websites. Never had a problem, and really seems to cut down on junk calls...
I stay in a lot of hotels. I’ve never once been called. They will send an email to my “hide my email” protected email address or once I am 24 hours from check in or during my stay, I communicate with them via chat on the app.
On the other hand, I really don’t have a problem giving my real number to hotels, airlines or any other business that I deal with regularly.
99% will not get called, but having worked in hotels, guests have to be contacted all the time. Maintenance issue, plumbing leak, dog is barking too loud, overbooking, room type change, and the list goes on.
At franchised hotels in the US, which is almost all chain hotels, the employees at the front desk do not have the ability to email you, or even know your email address. The phone number is often the only way to reach you.
Hilton does have the chat app, but I do not think it works for hotels trying to reach customers with time sensitive information.
I also like digital keys and whisking myself to a room. But I would also rather know about my relocation (or any other issue) before I get to the hotel rather than after I get to the hotel.
When I worked, we used to have to often change room types from rooms with 1 queen bed to a room with 2 full XL beds (full XL is 6 inches narrower than a queen).
Of course, technically, this would modify a guest’s reservation and give them an inferior bed than the one they reserved, so we would go down the list of people who had reserved a room with 1 queen bed and ask if they were willing to change to a room with 2 full XL size beds, and as a thank you, offered a few thousand points.
Obviously, all the single business travelers had no problem accepting a couple extra thousand points for a bed that was 6 less inches wide, but if they did not have a good phone number on the reservation, they were not offered.
Not really, it was a hotel with kitchens in the room that was 90%+ occupied at all times, with 50%+ rooms occupied by long term stays. When operating at such margins, overbooking certain room types is inevitable as people extend their stays or cut them short.
Much like the person that has their 2FA app on their phone, and their backup keys burn down in their house and then is suddenly on HN begging for Google support to help them because they are in a catch-22 situation no one cares about the edge cases until they are being crushed under one.
Also a 1% failure rate is off the charts when you're talking about serving millions.
>> And so if a hotel is overbooked, or otherwise has an issue that would be better addressed prior to arrival, they have no way of contacting you?
> I stay in a lot of hotels. I’ve never once been called.
I've been called because of a travel issue, once. About a little more than a decade ago, I was scheduled to fly out of an airport that didn't actually end up opening for another several years. I believe the only heads-up notice I got about the change in my itinerary was a phone call about a month before my departure.
I stay in a lot of hotels. I’ve never once been called.
I get called by hotels all the time. But maybe because I stay in s a lot of "high touch" properties that pride themselves on providing exemplary service.
You're not going to get called by a Holiday Inn Express. But you certainly will get called when you're spending $800+ a night.
When I say “I stay in a lot of hotels”, I’m not exaggerating. My wife and I digital nomad 6.5 months out of the year staying in mostly mid range Homewood Suites and Embassy Suites and I also travel for work 6-10x a year where I also usually stay in Embassy Suites.
The other half of the year, we are staying in our own “Condotel”. They are individually owned condos that are rented out and managed like a hotel when we aren’t there.
When we first came to our condo in January, everyday they would knock on my door at the worse time.
The last thing I want in either context - whether I’m on a business trip, “nomadding “, at “home”, or vacationing is “high touch”.
I want to check in digitally, use my digital key and check out digitally. I put “Do not disturb” on my door the entire time.
>When we first came to our condo in January, everyday they would knock on my door at the worse time.
That is not really what high-touch means in the context of luxury hotels, $1000+/night places will generally do their best to not disturb you. Instead it's things like coordinating housekeeping based on reservations the concierge has made for you, or perhaps just quietly stocking your room with a beverage you seemed to particularly enjoy by the pool.
>I want to check in digitally, use my digital key and check out digitally. I put “Do not disturb” on my door the entire time.
I tend to prefer in-room check-in, a very common practice in luxury hotels. A front desk staffer walks you to the room, giving you an easy opportunity to raise any issues or ask any questions you might have regarding the room.
And in any case, digital check-in is unfortunately legally difficult in many jurisdictions which require hotels to scan your passport.
Apparently brand new accounts can't edit their comments, who knew. Edit: but seemingly this only applies to the very first comment you make
Regarding the phone calls, most people at this level use travel agents so the hotels won't have the client's direct contact information anyway. It's the travel agents job to communicate any preferences you might have regarding the stay.
If you're booking directly, it's common and useful for the hotel to reach out to you regarding your preferences and to see if you might need them to arrange something like airport VIP services or transfers. Nobody will be upset if you've provided a fake number and the hotel can't reach you, your reservation won't be cancelled.
Ditto. Even worse, I've tried to sign up for some services which reject the VoIP number and then send that number spam anyway. This has happened with a concert ticketing service and a food delivery app now.
I do the same thing as you. But it's worth noting that you don't know that you've never had a problem, since nobody can contact you about one.
I've only had problems that I know of three times. Once when a purchase from Ohio got mangled in shipping and returned to the company. It tried to contact me to let me know there was a delay, and when it couldn't get in touch with me, it put the order on hold. I found out about it when I called a couple of weeks later to ask what happened to my order.
Once when something I ordered from overseas had trouble getting through customs. Again, I had to call to find out what happened.
And once when I made a hotel reservation in Los Angeles. The hotel called to let me know that the upgrade I requested was available, and when it couldn't get me by phone it believed the transaction to be fraudulent and cancelled my reservation.
if you use the same fake one, then that is your number, its just pseudonymous. It does not matter what the info is, if it is the same often, it'll build a pattern on you.
You're thinking of the direct effects when you should be thinking about the tertiary effects. Your assertion is "I don't go around advertising that this is my BTC address, they'll never know it's mine"
does make me wonder about throwaway accounts (on reddit, for example); I wonder how many people regularly create them, but use predictable patterns doing so...
I have a burner phone that I never answer... only used for getting SMS confirmations and the like, and on silent or turned off altogether when I'm not expecting one.
Most people with more than 1-3 email address have one account that has a publicly documented form to get unlimited email address. If you use gmail there are two ways to add an alias: the plus sign and adding dots between letters. It is trivial for anyone to check for a plus sign in an email address, and change the part after it thus giving themselves are different alias that you probably don't have blocked. Or they can yourName+evilCompany@gmail.com to yoirName=goodCompanyWeWantToFrame@gmail.com.
Because this is so obvious I do not consider email per service useful unless you can cheaply create aliases that are not related to your main email, and adding aliases is not and automatic scheme, but instead. You have to do all of them or the entire scheme is useless, and the effort is high enough that I doubt the average person would do this even if we made it easy. Don't forget that you also need to select the right account to send from for each message while you think the place is not evil.
You got to choose the name you were listed in. My grandpa always used his initials because he knew some old widows in the 1950s who didn't want scammers to know only a woman lived there which they could guess by a girls name when every other entry in the phone book was clearly a man's name. (make sure you read the above in your 1950's culture thinking, it won't make sense in the mode of modern culture)
By the same token, many such widows from that era — and, in many cases, later on — simply never changed their phone listings after they became widows. I recall my hometown’s phone listings containing many long-dead guys’ names for precisely that reason.
The real risk is that there’s backend integration between multiple systems. It’s a nexus between airline and other systems, and if you are a person with personal security concerns who hasn’t really thought about this scenario, you need to think because you’re compromised.
Welp, that explains the spam call I got the other day trying to convince me that I'd been randomly drawn for a free stay. That despite never registering for their program and not having stayed since before the pandemic (and even then only on work trips where I didn't get to pick the hotel).
Our team has cross-checked several names from the sample list provided. Many are genuine.
It's a six-year-old list, email IDs and even phone numbers might change.
Hilton, like many companies, has a record of denying breaches until it hits on the face. They were fined $700K for an earlier breach mentioned in the report. Under GDPR, the fine would have been $420M
How come you didn't bother to check the list for dupes? You'd have found out that it only contains 755k unique entries, out of which only around 450k are unique users.
Hilton has over a million hotel rooms, 3.7M reservations is nothing.
Most likely this data comes from some OTA that was breached.
Edit: I downloaded the actual dump. It only contains 775k unique reservations from approx 450k unique people, the other 3M are just duplicates. All of the reservations are in the US, for only around 35 different properties.
The only PII contained in the dump are Hilton Honors IDs and names, there are no addresses despite the article claiming otherwise.