Disgruntled Marriott employee tried to sabotage my Bonvoy account
View this post on Hive: Disgruntled Marriott employee tried to sabotage my Bonvoy account
In March 2020, many Steem users, including @dhimmel, migrated to the Hive blockchain in response to the hostile takeover of Steem. Please use the Hive link when sharing this post and comment on the Hive version to get in touch.
Prelude: this post is not a criticism of Marriott or its Bonvoy loyalty program. While a single Marriott employee engaged in misconduct, other Marriott representatives responded diligently and resolved the issue with haste.
It was a regular Tuesday. I was at my office when I received the following email from Marriott Bonvoy (a hotel loyalty program):
Now I get emails like this somewhat frequently. But usually either I made a change, or a notification system had some sort of false positive and logging in confirms my details are correct.
However, this instance was different. I logged into my Bonvoy account and noticed my email had been changed. The letter
i in my name had been changed to a
y, such that my email contained
DANYEL rather than
DANIEL. Upon further inspection, I noticed an off-by-one error for a single middle digit in my phone number.
Weird. I knew I didn't make these changes. I also knew this wasn't some sort of programmatic failure. As a computer scientist, I was confident that a computer program was not the source of the mistake here. Instead, these were intentional changes by a malicious actor who wanted the changes to be be discrete and plausibly deniable (i.e. honest mistakes).
I immediately suspected a culprit. The previous evening I created a booking via the Marriott website. After booking I noticed I used the wrong credit card. I didn't see a way to change the credit card online.
So I called the Renaissance Pittsburgh Hotel and selected the reservations department. I explained to the male agent that I'd like to change the credit card on my reservation. He responded that the only way to change the payment method would be to cancel and rebook the reservation.
The booking was non-refundable, but could be canceled without charge within 24 hours.
My credit card had not been charged at this point, so I was surprised that the agent could not change the payment method. I told the agent to cancel the booking if that was necessary to change the card.
Then the agent asked what credit card I'd like to use to rebook. I told him that the price online was still the same and that I would just rebook online. This is when the call got weird. He seemed upset that I didn't want to book with him. He said things like, "why'd you call me if you don't want my help?" I explained that he did help by letting me know how to proceed and canceling the first reservation. I also explained that I prefer the online interface where I can take my time with the booking and get all the details correct. He kept insisting I book with him.
I was in disbelief that a customer service agent would be so insistent. After several minutes of him insisting I book with him and me explaining that my decision to book online was final, I told him goodbye. This call was bizarre enough, that I immediately suspected this agent as the perpetrator regarding my account detail change.
I logged in (using my Bonvoy number and not email for username) and attempted to change my contact details back to correct values. At some point, I got the following screen instructing me to call Bonvoy support:
I was connected with a nice agent who listened to my story and my suspicion that these changes a malicious retaliation by the employee I spoke with last night.
The agent helped me by setting a PIN code and security question for my account. Apparently, this activates an additional layer of security by requiring Marriott employees to enter the PIN or security question answer before being able to perform certain account operations. I created a random PIN and the following security question:
what value do you have for the security question in your password manager?
While the agent was setting PIN security, our phone call dropped. I called back and spoke to a different agent who confirmed the PIN security was active. She then transferred me to a more capable "elite" level representative named Suzanne.
Suzanne was very good. She comprehended the situation quickly. I explained that there's a low chance my account login was compromised (since I use a different random password for every tier-2 site, of course). She put me on hold to check with IT, and confirmed that the changes to my account details were not from an external login. In other words, this was an inside job.
I learned two other interesting snippets from our conversation:
- even though I called the Pittsburgh hotel, reservations are handled centrally, such that I was not speaking to someone in Pittsburgh.
- there are certain "stats" or incentives that may have motivated the employee to insist on performing the rebooking
Suzanne created an official case (number 216564772). Less than 24 hours later, I received an email from Jean of Marriott's Guest Experience Assistance Team.
The email confirmed that a Marriott agent had changed my email address without permission. Jean also mentioned that they were taking "precautions to eliminate this and similar issues from happening again with this agent." Finally, Jean had credited my Bonvoy account with 10,000 points. On my account, this showed up as a bonus for "service recovery - cec bill".
So all in all, quite a fascinating turn of events. I'm glad my account was not compromised by an external actor and the PIN security should help avoid a similar situation in the future.
I'd like to thank all the representatives from Marriott who investigated and resolved this issue so quickly. I was lucky in that I'm Gold Elite and that my Marriott account includes the "Dr." honorific, both which may have helped with my complaint being taken seriously.