On June 29, 2015, I received email from Travelocity thanking me for creating an account. I did no such thing—or, wait, did I have an account already? Sure enough, I set up one in 2006, according to my archived emails. Why this notification now? I wrongly assumed the thank-you message was a mistake, or even a marketing ploy, to get me to sign into the account. But who remembers a password from 9 years ago? So I clicked the forgot password link and had a new one sent.
I wouldn’t understand until later that someone in Florida created a new account using my email address. But Travelocity never sent confirmation to verify that the email address was valid or belonged to the person who signed up for the service. As such, by resetting the password, I had access to someone else’s account, which, fortunately, contained no personal information (like credit card numbers). But I didn’t understand this circumstance until later, when, in a routine check of my online accounts. I discovered an itinerary for a hotel stay that had just passed.
I called Travelocity demanding that the the email problem be fixed. The rep removed the itinerary from what was my account by possession. Fast-fowrad about a month, we come to today, when a password reset message popped into my inbox. Logging in to investigate and discovered a new itinerary, for another hotel stay; one night, starting today. A confirmation email arrived while I investigated, about 20 minutes after the password change email, at 11:54 a.m. PDT.
Don’t you wonder about these things? Is it an illicit trist between lovers? These are one-night stays, and using a stranger’s email address is one way to keep the transaction from someone with whom you share computer, online account, household, or all three. If the point of using Travelocity id booking online, then no information in the account is suspicious, too.
Oh, there are so many intriguing possibilities. Because these are infrequent one-night stays at a hotel near an airport, maybe the guy is a transport pilot or flight attendant who makes irregular but overnight layovers.
I could cancel the account but don’t see the option obviously apparent anywhere on the website or in the help section; that wouldn’t be my preference, regardless. Can you imagine upending someone’s trip like that? That’s not nice. I tried phoning anew, only to find myself in an hour-plus queue, if willing to wait. I wasn’t. My understanding when this thing was supposedly resolved last month: Travelocity would contact the customer using my email address and change it. The rep refused to provide me with information about the reservation or the person making itto protect his privacy. How about showing some respect for mine, eh?
I had errands to run and returned this afternoon with intention of contacting Travelocity. I await a call-back, which could take 45 minutes. The simplest solution is to cancel the account without explanation. Because if I try to do the right thing again, Travelocity presumably will refuse, by protecting the paying customer.
But the exercise is good opportunity to test the company’s privacy and security protections. That I received no message confirming the account email address at the start of the process illuminates a flawed security and privacy protocols. If I try to cancel the account, and Travelocity allows it without my giving up identifying information, a hum, concerns about privacy and security are even greater. Ultimately, I am reluctant to cancel, since technically the account belongs to someone else. Right?
A few hours after posting, I finally spoke with two very perplexed Travelocity reps, one a supervisor. They couldn’t quite grasp, without repeated explanation, what was the problem. I said: Someone used my email address to create an account and to make reservations. They heard: Someone had accessed my “permanent account” to make reservations. I decided to be straightforward about the problem.
I suggested two options: Cancel the account, or use the phone number (not mine) listed on the account to contact the guy in Florida and offer him opportunity to change the email address. If the other person refused, cancel the account. Ho Ho, while writing the last sentence and waiting on hold with Travelocity, I received an email confirming cancellation of the reservation. I didn’t ask for that!
So the supervisor and I just spoke again. I made clear my first preference was for her to contact the other party to change the email address. Instead, the super cancelled the entire account! Yikes! I protested, and she responded: “But the owner of the account is you”. The policy is the account belongs to the email address holder. That the other party made two reservations using my email address constitutes fraud, she claimed.
Both reservations were made by telephone, and I can’t help but wonder if this all isn’t some innocent mistake. The other person does have last name Wilcox but very different first name. (Please don’t be blood relation!) I hope couple has a good night’s sleep because waking up and checking out in the morning could be burdensome. They have my apologies. This isn’t the outcome I sought.
For sure, though, I don’t trust Travelocity. The recounted interaction is reason enough, but here is another:. I asserted being the email address’ owner, which is truthful, but neither rep confirmed this. My phone number and the one on the account are different. Shouldn’t that bother someone? I would expect at least one of two easy confirmations: Send a text message (which I could’t receive), or an email. Neither rep did either.
Sure, I had information about the reservations and generally seemed aware of the account activity. But any hacker with good social engineering skills could have gotten as far. Who knows what mischief he or she could create.
Photo Credit: Leigh Caldwell