If you are a member of the Global Hotel Alliance loyalty programme, you'll want to read about this incredibly concerning privacy breach I discovered last week, not to mention the appalling level of customer service I received on reporting it.

On 16 November at approximately 9:30am Tokyo time I received an email through entitled "GHA Discovery Newsletter-November". Inside it contained the usual advertising bumph as well as a summary of my GHA loyalty program status. I noticed I had "1 Local Experience" (a type of reward) listed in the summary, which I wasn't aware of, so I clicked on the link and it took me through to the GHA.com website and logged me in. In the following screenshot I have blocked out some of my details in white.



I was immediately puzzled, as in the top right of the screen it said someone else's name, next to the words "Log Out". See the following screenshot (the surname has been partially blocked out in white to protect the member's privacy):



Thinking perhaps my membership number had been incorrectly linked to someone else's account (it was newly opened), I clicked the unfamilar name. This took me to the member menu. I clicked "View My Account" and I was shocked to see that it displayed me the membership details of this person, including membership status, membership number, and expiry date.

I logged out and returned to the November Newsletter, thinking the system had had a malfunction so I would start afresh, and clicked on the "My Account" link once more.
I was logged in again - but now into a different member's account.

Every time I clicked on the link in the email, I was logged into a different member's account. For these people I was able to view:

-their membership no, level and expiry date
-their GHA hotel history, including places stayed at and dates
-their email/phone
-their postal address
-their membership card, including the option to print one.

Again, personally identifiable details have been blocked out in white in the following screenshots; the originals have now been deleted from my system.









Realising the extreme seriousness of this security breach - just who, right now, was viewing MY personal information and possibly using it for nefarious purposes? - I immediately fired off an email to the Global Hotel Alliance loyalty programme team, who seemed to be based in the USA.

A whole business day passed without even an acknowledgement.

I sent a follow up query stressing the seriousness of the matter and asking for at least an acknowledgement, as well as a separate email query to the Head Office of Global Hotel Alliance in Geneva, Switzerland. The following day I received the following stock response from the US Loyalty Programme team:

Thank you for expressing this observation and your concern for your privacy. We experienced a technical issue through the Newsletter link you received; it was an isolated case and it was identified and resolved almost immediately. Please note that this has been escalated and all respective divisions are working to ensure this does not occur again.

I apologize for your inconvenience and your alarm. This is not the experience we desire for you to have, and we hope that you allow us to renew our relationship with you.

I confirmed that the loophole had indeed been closed; clicking the link in my email no longer directed me to anyone's account. But I wasn't confident with the response, and so I replied asking them to delete my GHA loyalty programme account with immediate effect.

The following day I received a response to my original query, some three or four days after sending it.
It was identical to the stock response quoted above.

To this date I have not received a response that my request to delete my GHA account (and my personal data) has been actioned (my account is still active and I can log into it); nor have I received a response from Head Office, whose email I got from the GHA Privacy Policy which begins "Your privacy is very important to us" and encourages "For any requests with respect to your data or this privacy policy, please contact: Global Hotel Alliance, 28, Boulevard du Pont-d'Arve, CH 1205 Geneva, Tel. +41 22 5964462, Fax: +41 22 5964469, e-mail: admin.corporate@gha.com"

Sorry, I find it extremely hard to believe that members' "privacy is very important" to GHA when Head Office fails to respond to or even acknowledge reports of serious privacy breaches, and requests to delete my account and the personal data held within fall completely by the wayside.

I am left with no faith in the GHA program's ability to keep my data safe nor in its terrible customer relations, the likes of which I do not expect from a loyalty programme for luxury hotels.

They have lost a customer for life as a result.

If you are a GHA loyalty programme member, or are considering becoming one, I trust you have found this enlightening.

__________________
Owner, travelforum.org
My latest travels: Shikoku Pilgrimage

Update:

Six days after my initial request, my GHA account has now been "inactivated". Presumably this is different to my request of "deletion".

Thank you for your email. Your feedback is appreciate. I apologize for the delay in responding to your email. We have had an unprecedented response to our recent news letter. I have inactivated your GHA Discovery account. I have also forwarded your feedback to our main office. We are very saddened to see you leave the GHA Discovery program. Please let us know if there is anything we can do to assist you.

It will be interesting to see if the main office can be bothered to get in touch.

__________________
Owner, travelforum.org
My latest travels: Shikoku Pilgrimage