Email forward claims that sensitive personal information such as credit card numbers is routinely encoded on electronic hotel key cards and this represents a security risk to hotel guests.
The claims in the warning are untrue. Modern hotels do not include any sensitive personal information on key cards. Hotel key cards do not increase our risk of becoming victims of identity theft.
Subject: Fw: Important Info – Hotel Keys
This is a fact. Not just useless internet information.
Remember this for the future:
You know how when you check out of a hotel that uses the credit-card-type room key, the clerk often will ask if you have your key(s) to turn in…or there is a box or slot on the Reception counter in which to put them? It’s good for the hotel because they save money by re-using those cards. But, it’s not good for you, as revealed below.
From the Colorado Bureau of Investigation:
“Southern California law enforcement professionals assigned to detect new threats to personal security issues, recently discovered what type of information is embedded in the credit card type hotel room keys used throughout the industry.
Although room keys differ from hotel to hotel, a key obtained from the “Double Tree” chain that was being used for a regional Identity Theft Presentation was found to contain the following the information:
a.. Customers (your) name
b.. Customers partial home address
c.. Hotel room number
d.. Check in date and check out date
e.. Customer’s (your) credit card number and expiration date!
When you turn them in to the front desk your personal information is there for any employee to access by simply scanning the card in the hotel scanner. An employee can take a hand full of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense.
Simply put, hotels do not erase the information on these cards until an employee re-issues the card to the next hotel guest. At that time, the new guest’s information is electronically “overwritten” on the card and the previous guest’s information is erased in the overwriting process. But until the card is rewritten for the next guest, it usually is kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!!
The bottom line is: Keep the cards, take them home with you, or destroy them. NEVER leave them behind in the room or room wastebasket, and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card (it’s illegal) and you’ll be sure you are not leaving a lot of valuable personal information on it that could be easily lifted off with any simple scanning device card reader. For the same reason, if you arrive at the airport and discover you still have the card key in your pocket, do not toss it in an airport trash basket. Take it home and destroy it by cutting it up, especially through the electronic information strip!
Information courtesy of: Sergeant K. Jorge,
This warning email has been circulating continuously for several years. Although it may sound plausible, the information in the message is inaccurate and misleading.
In years past, existing software would prompt the user (employee) for information input. If the employee was unaware of hotel policy dictating that such information NOT be entered, it could have ended up on the card in error.
Modern hotels do not include any sensitive personal information on key cards. Early versions of the software used to process the cards may have given operators an option to add information such as credit card numbers to the cards. However, even then, it was not common practice to include such information on key cards, although it is possible that hotel staff may have sometimes added the information in error. In any case, the software now used for hotel key card systems does not allow personal information to be encoded on the cards, even in error.
In a 2003 article that was available at the time on Bend.com, the officer named in the email forward, Detective Sergeant Jorge of the Pasadena Police Department, was quoted as explaining:
The email began circulating back in 2003, after Detective Jorge learned about an investigation by a group of fraud detectives in California. Unfortunately, news of the potential security threat began to spread rapidly before investigations into the matter were concluded. Information on the Pasadena Police Department website notes that:
As the investigation into this potential fraud risk continued, this information was shared with other members of the Pasadena Police Department and personnel chose to share this information with others before we could correctly evaluate the risk. This has caused a chain reaction of probably thousands of people being given this information before the risk was evaluated thoroughly.
An April 2004 Omaha News article also maintains that sensitive personal information is never included on hotel key cards. The article explains that, while other types of key cards may store information on three separate tracks, hotel key cards typically only use one track. In the article, deputy director of government affairs for the Ohio Hotel and Lodging Association, Barton H. Hacker, further debunks the warning:
“The software product that has been given to the hotel community actually prevents the use of the first two tracks on the magnetic strip,” Hacker said. “So the guests are not in fear at all of having any personal information on those cards whatsoever.”
Given that identity theft is one of the fastest growing types of criminal activity, we certainly need to be aware of potential threats to our privacy. However, the warning in this email forward is unwarranted. Hotel key cards do not increase our risk of becoming victims of identity theft. In fact, hotel key cards are more likely to enhance our privacy because they are more secure than traditional hotel room access systems. An article discussing the superiority of electronic key cards over traditional key systems on the Dayton Business Journal website notes that:
A whole new key, with a different code, is created for each room with every change of guest. The codes from the previous use are wiped out by the computer and replaced with a new pattern that is also sent electronically to the room lock. The key cards are anonymous and easily changed, making it nearly impossible for a would-be burglar to pick up a card and break into a room.
Thus, the information in this warning message is invalid and should not be forwarded. If you receive this email, please let the sender know that the information it contains is untrue.
Last updated: December 2011
First published: August 2005
By Brett M. Christensen