Marriott Rewards email snafu, customers get test email in error

If you are a Marriott Rewards member you may have received an email from them recently that didn't quite make sense.  I got one, it looked something like this:
Subject:  "Don’t miss your free night from Marriott Rewards"
CUSTOMER_KEY : ######## (8 digit number that I have removed)
MR_NUMBER : ######### (9 digit number that I have removed)
MR_NUMBER_ENCRYPTED : (32 character value here also removed)
TEST Links
Hosted Email Link Using MR_NUMBER : With MR_NUMBER Link
Hosted Email Link with out MR_NUMBER : Without MR_NUMBER Link
Hosted Email Link with out Jennies Suggestion : With entrypted MR Number & Customer key
I inquired with Marriott about this and it was apparently an error.  Looks like they were testing some functionality but emails got sent to actual customers.  Here is their response email.
"Dear Valued Guest,

Yesterday morning, you received an email from Marriott in error. We were testing functionality to further enhance your online experience. During the testing process, a small number of emails erroneously deployed.

In the email, you may have noticed your name and a reference to your MR number. Rest assured, the information contained therein is private and no information specific to you or your account was shared with anyone else. To reiterate, this email was sent to you in error, but the contents of the message itself pertain only to you and your account.

Marriott is committed to your data security and the protection of your personal information. We apologize for any confusion our earlier email may have caused.

Best regards,
The Marriott Team"
What it doesn't say is whether this information in the email was "sensitive".  Why would there be a field MR_NUMBER_ENCRYPTED?  I followed a few of the URL's in the email and information similar to the email content was there on an unprotected web page.  Hmmm.
Kenneth M. Smith    CISSP CISA GCIH
Information Protection, Privacy, PCI Consulting
Phone: 978-595-1536 (1KEN)
Twitter: @ken5m1th

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

No comments:

Post a Comment