I first heard alarming stories about hotel keycards over a decade ago, though I don’t think I’ve written about the issue recently, or outside the healthcare organization I then worked for: I only started to blog publicly some time after I started writing for ESET. (My earliest blog piece for ESET seems to have been published in February 2008, though I’d been writing other articles for them for a while.)
The story that circulated when I first heard it concerned chain messages claiming that you shouldn’t let hotels have your key card back because they store potentially sensitive personal information such as the customer’s name, partial home address and credit card information, as well as more obviously relevant information (room number, check-in date, check-out date). The suggestion is that your data might be leaked or stolen when you return the keycard before it is re-encoded for the next visitor.
The story seems to derive from a case investigated by Pasadena police in 2003, and on the basis of information that was not intended to be shared with the general public until its accuracy was verified and actually referred to a somewhat different issue of stolen keycards being re-used by criminals as cloned credit cards. In a subsequent retraction, the Pasadena police stated:
As of today, detectives have contacted several large hotels and computer companies using plastic card key technology and they assure us that personal information, especially credit card information, is not included on their key cards. The one incident referred to appears to be several years old, and with today’s newer technology, it would appear that no hotels engage in the practice of storing personal information on key cards. Please share this information with anyone who has a concern over the initial information send out to others as a precautionary measure.
The rumour was debunked by the ever-reliable Snopes site long ago, but I’m guessing from the fact that Vladislav Biryukov has just revisited the topic for Kaspersky suggests that the story is still circulating, though I can’t say I’ve seen it recently myself.