Hilton Shares Your Online Password with Every Customer Service Rep in the Company
I have been a loyal Hilton customer for years and will always choose them over any other hotel chain if possible. I have spent hundreds of nights in Hilton hotels over the years.
Today I had an issue with points not accruing on my Hilton HHonors loyalty account correctly. When I connected with the representative over the phone they asked me to provide my account number and pin number. I did not know my pin number – it turns out that this is a randomly generated number that can’t be changed. The next piece of identifying information that they asked for was the password I use to log into my account.
Wait – WHAT?! The password I use to log into my account?! I wanted to be sure I was hearing them correctly. Yes, it was true. My password was there in plain text on the screen in front of the representative. The password I use to log into my Hilton HHonors account can be seen by every customer service representative in the company. They can technically write down my password, go home, and log in as if they were me, granting them access to my saved credit card and other personal information that is associated with my account.
This seemed very suspicious. What company in their right mind would allow customer representatives access to user passwords? I hung up and called back to get a different representative to be sure that this wasn’t a fraudulent question. The next representative confirmed that asking for the user’s password was in fact standard practice.
Lucky for me, I work in the computer industry and have an understanding of security practices. I don’t use the same password for multiple online accounts and was able to recognize an unsafe security practice. However, I am sure many people use the same password for their Hilton HHonors account and their bank account. A company should NEVER ask for a user’s password, for account verification or any other purpose.
In addition to credit card information, a Hilton HHonors account contains your name, address, phone number, email, and answers to security questions which are similar to those asked on other sites. This is basically everything you would need for a good start in identity theft.
To make things worse, Hilton HHonors wouldn’t allow me to delete my credit card information from the site – at least one card must be left on file and entering a fake card produced an error.
I filed a complaint with the “manager” who could not give me a next step or timeline for the response. I have already reached gold level in 2013 and would hate to switch to a different hotel chain after all of these years and many great experiences with Hilton. However, sharing my password with anyone is a deal breaker.
I will continue to pursue this issue and report back here. Please share this story so that other people know that their personal information is compromised by Hilton.