Another Marriott Breach, Ho Hum

By Robert McGarvey

In other news on March 31, Marriott disclosed what it called a “Property System Incident.”

We interrupt that to report a shoplifting at a dollar store, cutting now to the live police feed of this dramatic story.

You probably missed the Marriott news because it was an otherwise busy day with acres of – grim – Covid-19 reporting and with projected US death totals now reaching into six figures, shortages looming for ventilators, inexplicable mask shortages, and, well, who really had the bandwidth to process yet another report of a hotel data breach?

Not us.

Marriott doubtless hoped you would miss it because the company’s statement is calculatedly blah.  It says just about nothing and that’s tipped off by the word “incident” in the headline. Meaning absolutely nothing.

But the Marriott statement does note the personal info of about 5.2 million Marriott loyalty members apparently was compromised in the “incident.”  It elaborated:

“At this point, the company believes that the following information may have been involved for up to approximately 5.2 million guests, although not all of this information was present for every guest involved:

* contact details (e.g., name, mailing address, email address, and phone number)

* loyalty account information (e.g., account number and points balance, but not passwords)

* additional personal details (e.g., company, gender, and birthday day and month)

* partnerships and affiliations (e.g., linked airline loyalty programs and numbers)

* preferences (e.g., stay/room preferences and language preference).”

Marriott added: “Although Marriott’s investigation is ongoing, the company currently has no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”

The real take away from this: the continuing indifference of the hotel sector to protection of guest data. How many breaches have to occur – from Trump hotels to Starwood and Hilton and just about everybody else? How many stories have to be written? Somebody needs to say, this is a problem.  It needs to be fixed.

Actually we’ve been saying all for that for some years now and nothing has changed.

We need a new campaign.  Complaining about hotelier incompetence is not enough.

Real change will start with us. 

We share culpability. We put up with it.  For some time I have suggested that probably the only safe way to stay in a hotel is with a bogus travel credential (a novelty Irish driver’s license for instance) and using a credit card paired to the bogus ID. Then annually burn that identity and create a new one.

Shop for ID online. Here for instance.  Note: I am not suggesting using any such ID to drive a car or any similar activity – many of which might be illegal.  Rather, I am suggesting we take a trick from the oldime restaurant critic’s playbook – from the era where they practiced anonymity – when every big newspaper and magazine handed out credit cards in bogus names to their critics so they could make anonymous reservations. As long as the bills got paid, no harm done.

We’d be a lot safer in hotels if we did something similar today.

A lot of work? Yeah. But so is the persistent credit monitoring we all do because we have been involved in so many data breaches, many involving hotels and restaurants.

In Marriott’s defense this breach was detected quickly by hotel standards – often years go by. In this case, just months.

But worrisome is that two employee accounts were apparently the tools.  And that they were used to perpetrate large amounts of data exfiltration that should have been detected and stopped quickly.  Screens against substantial data exfiltration just are good practice in well run organizations.

Not apparently in Marriott.

So what should you do now?  Paul Bischoff, privacy advocate with Comparitech, said: “The biggest threat Marriott guests might face as a result of this breach is targeted phishing. Guests should be on the lookout for targeted messages from scammers posing as Marriott or a related company. Don’t click on links or attachments in unsolicited emails. Check email addresses and don’t just trust display names. If you’re uncertain as to whether a message is legitimate or not, ask Marriott using contact information found through Google.”

Remember that. If you are among the 5.2 million you will begin getting targeted phishing emails as soon as the data sells on the dark web. And it will go on for years.

That novelty driver’s license is making ever more sense? 

It’s up to us to protect ourselves.  It’s become that obvious.

When Will Business Travel Resume?

by Robert McGarvey

The Global Business Travel Association had to know so it popped the question we have all been pondering: when will we be back in full business travel mode?

The organization conducted a poll and it found – no surprise – that coronavirus had wiped out lots of business travel. One metric makes the impact clear: asked what percentage of trips that had been slated for March were cancelled, the answer was 89%.

41% said all business trips had been canceled. 53% said “essential” travel was still allowed.

Exactly 0 percent said their organization had not canceled or suspended business trips.

We are in a no travel mode and the question becomes, when will something approaching ordinary business travel levels resume?

GBTA asked exactly that question: “When do you expect your business travelers to resume regular travel to the countries or regions that have been canceled or suspended due to the Coronavirus? Do you expect travel to resume within the next. . . “

Understand, 40% said they were unsure.

0% said more than 12 monhs.

1% said 12 months.

The eye popper of a number is that 40% said within three months.

17% said within six months.

That makes 57%, a solid majority, who believe something approaching normalcy in business travel will resume by September.

What do you think?

Color me skeptical.

Here’s a metric on the impact of 9-11: “In August 2001, the month just prior to the attacks, U.S. airlines boarded 56.3 million passengers for domestic service, a number that plummeted to just 30 million in September. And for two anxious days after the attacks, the passenger count was zero. It would take three years for carriers to once again reach the 56 million mark.”

Many factors came into play in the aftermath of 9-11: real fear of flying coupled with an economic downturn but, in many respects, we have the same issues at work now. Some people are afraid to fly because of fear of catching coronavirus and then there is the near economic malaise that the nation is slumping into.

Airlines again are taking it on the chin in the coronavirus age. Best guesses are that they have years of pain in front of them.

Then there is the hotel question. How many will be closed? How many will be enlisted into service as homeless shelters? Perhaps as makeshift hospitals?

Some guesses are that half of all hotels in the US will close for some period due to coronavirus.

It will take some time to re-open as a hotel. Staff needs to be recruited. Trained. The big brands probably will navigate these issues with some skill. Many independents won’t. Many independents – which comprise 40% of the US hotel stock – probably will not reopen soon.

Meantime, other, transformational changes that are reshaping business travel are afoot. For instance: many of us – perforce – are discovering the ease and effectiveness of meetings via Zoom and similar tools.

Do a few Zoom meetings and you may not see the need for oldfashioned face to face. Will Zoom replace the traditional face to face sales call? Probably not. But similar tools will eliminate the need for many face to face meetings.

And the hustle and bustle of traditional events seems ever more dated to me. I do not expect a quick rebound in events business, mainly because so much of how we come together just is oldfashioned and no longer appropriate.

One GBTA question hints at the possibility of broad impacts: Do you think the coronavirus will change the way your company conducts business
once there is no more threat from the disease?

54% said yes. That’s the number to watch. There are many reasons for business travel to undergo a transformation and one factor is the generational shift of the travel burden from Baby Boomers to Millennials and it just is not clear that Millennials want to travel the way Boomers have.

Add it up and I am profoundly skeptical that business travel will rebound in three months. My guess is that we will see an uptick in the fall and probably spring 2021 is when we can begin to think something akin to “normalcy” has returned. That’s about a year from now.

And as for event design, watch for huge changes. It’s overdue. And now it will flourish. Be very skeptical about signing up for distant events – many just won’t be happening.

The era of business travel change is upon us. And that’s a good thing imo.

What do you think?

CU 2.0 Podcast Episode 84 Kevin Langford on Remote Workers and Cyber Insecurities in the Age of Coronavirus

Suddenly credit unions across the nation are ordering employees home, as part of the response to the coronavirus pandemic.  And that is triggering a tidal wave of worries about the possible cyber insecurities that will result as newly empowered employees log into the credit union networks.

Hitherto, at many credit unions, the workers who had home access to the network were mainly senior, experienced, and both well trained and well equipped.

Today’s newly drafted home workers often lack the right equipment and their training may have been brisk.

Global cyber criminals are said to be eyeing these workers the way a hungry lioness eyes a slow wildebeest in the Serengeti.

 That’s why you want to hear from Kevin Langford, chief information officer at $140 million Georgetown Kraft Credit Union in South Carolina.

Langford has trained many workers in the secrets of safe cyber work at home and here he tells what every credit union needs to be doing.

This topic is so big that next week we will post another podcast on the same theme with Shane Butcher, senior solutions and security architect at CUSO Ongoing Operations. 

You need to listen to both.  The risks are extraordinary today and here are solid suggestions for navigating turbulence securely.

The UPS scam info is here.

The dropped USB drive info is here.

Listen to this podcast here.  

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email

Find out more about CU2.0 and the digital transformation of credit unions here. It’s a journey every credit union needs to take. Pronto

CU 2.0 Podcast Episode 83 Ron Shevlin, Again, on How to Win in Financial Services

Who will win: community banks or credit unions?

War on.

A keen observer is Ron Shevlin, diretor of research at Cornerstone Advisors and author of a new report, What’s Going on in Banking 2020.  It’s a data rich report. Download it, read it.

Shevlin was an early guest on the CU2.0 Podcast – Episode 21 – and he’s back in this wide ranging conversation about credit unions, technology, and ways to win.

For instance: can community banks regain a hold on retail banking, a niche they ceded to credit unions some years ago?

Can credit unions succeed at taking business banking from community banks?

A growing trend, per Shevlin, is that consumers have multiple checking account relationships that they seek to optimize – and a key is how easy it is to quickly move money around today.  What does your institution know about this?

A credit union failing is a persistent belief that “our success is our people,” said Shevlin.

Millennials are more focused on technology.

“It is not about people, it’s about meeting members’ needs,” said Shevlin.

He also gives a formula for succeeding in financial services today. It comes near the end of the podcast. Listen up.

There’s a reference to Bill Bynum, CEO of Hope Credit Union. Hear his podcast here.

Listen to the Shevlin 2 podcast here.

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email

Find out more about CU2.0 and the digital transformation of credit unions here. It’s a journey every credit union needs to take. Pronto

CU 2.0 Podcast Episode 82 Jon Ogden MX on the Future of Banking

Does your credit union have a future?

There’s the blunt question.

Welcome to the CU2.0 Podcast with your host Robert McGarvey. Today’s guest Jon Ogden, head of strategic content at digital firm MX which has recently released two provocative reports, The Ultimate Guide to the Future of Banking and the Ultimate Guide to Digital Transformation.

Read them, they are free.

But know they may keep you up at night.

That’s because many, many institutions – thousands of credit union among them – just don’t get it. They cling to an analog, physical world where consumers – most of them and more daily – crave better digital experiences.

The MX reports – filled with consumer research – prove this.  Today 86% of us say our primary contacts with our FI are mobile and online. Just 14% say it’s via branch or ATM.

59% of us say we would take a loan from a tech company.

49% of us predict “far fewer branches.”

This is a fast ride through lots of numbers but the bracing take away from the numbers is that now is the time to transform – or perish.

In this podcast Ogden talks about work MX has done for credit union giant BECU.  Hear our podcast with retired CEO Gary Oakland.

Know that some of the opinions in the reports come from banking futurist Chris Skinner.  Hear our podcast with Skinner.

Listen here

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email

Find out more about CU2.0 and the digital transformation of credit unions here. It’s a journey every credit union needs to take. Pronto

Stop Complaining About Covid-19!

By Robert McGarvey

It’s become a gripe fest.  People complain that they have to work at home, that the supermarket shelves are stripped of toilet paper, and – above all in the circles in which I move – we complain that business travel is basically on hold and just about every meeting and event has been cancelled.

That might seem fodder for lots of ranting from me in these columns. But, personally, I am struggling to stifle it.

Yes, I am impacted. Yes, trips have been canceled. Events have been canceled. Even a milestone college reunion of mine has been postponed.

Yes, the ineptitude inside the White House has made a fraught situation wretched – and it is hard to explain why there are nowhere near enough test kits, why the White House communications are packed with lies, and why six to eight weeks were lost due to incompetence at the top.

But here’s the deal: complaining would do no good.

And the cancellations and isolation that are our norms today are apparently doing some good.

The Skift headline frames the issue: No, It’s Not Fine to Keep Hosting Live Events. 

People have gotten sick with the coronavirus due to meeting attendance.  Proceeding with a meeting or event is foolhardy. That’s why so many have been canceled

Ditto business trips.

Sure, I get it, if the White House had not been inept we probably would have made much greater progress in taming this disease. But it wasn’t and so we use primitive but probably effective techniques such as social distancing and self quarantines and the impacts on life as we knew it have been profound.

But many have it a lot worse than we do.  I groan when I think of my canceled college reunion – I am Reunion Chair! – but then I think of the millions of college kids across the country who have in effect been evicted and told they are doing tele courses, like it or not.  Yes, I can see big lectures working fine as tele courses but many of my classes were small philosophy seminars with maybe a dozen students and lots of discussion and argument. How does that work now? And what about the social learning that makes college such a useful and perhaps distinctly American institution?

Then there are the impacts on the neediest. Andre House in Phoenix, which nightly feeds 500 or so homeless, has put its sitdown dinner on hold. Sacks of food will be distributed instead – but wouldn’t you much prefer a sit in a convivial atmosphere where volunteers treat you like you matter (and I have volunteered a number of times).  The homeless won’t starve. But they will be deprived those human moments that for many made dinner at Andre House special.

Now think of the many whose employment has been cancelled, or at least hours and income have been sharply reduced. Tens of thousands of restaurants are closed, or trying to make it on delivery only, and literally millions of employees and thousands of owners are scrambling to make it another week.

Think of the tens of thousands of flight attendants whose hours have been sharply reduced.

Or the hotel housekeeping staff who don’t have rooms to clean because there are no guests. Innumerable hotel workers face unpaid furloughs.

In China, it is difficult to see any recovery of the hotel business this year and maybe not next year.

Italy has major recovery struggles ahead.

Big questions loom. Will business travel ever return to its previous levels? Will events and meetings? Will flygskam rule?  Maybe our old habits will never resume.  

Etc. etc. and before we even get to the recovery phase we have to get out of the sickness and death phases and we have to be ready to mourn perhaps millions.

Easy it is to complain – and trust me I was annoyed when I saw shoppers last Saturday had stripped a central Phoenix Whole Foods bare of frozen pizza, dry pasta, and of course toilet paper, dish soap, and hand soaps.

But who to complain to?  

So many of us, in a panic mode, have slipped into a comfort zone where hoarding produces a kind of comfort and cursing out people who cancel our events seems normal.  It may not be rational but it is how we seem to think.

Do I want to look in a mirror and shout at myself?

No, that’s why I keep telling myself to stay cool.  It’s not easy. Not these days. But what better strategy do we have?

Can Your Employer Stop Your Travel Today?

by Robert McGarvey

The questions are tumbling in: Can my boss force me to travel in the age of coronavirus? And I have much more often heard the flipside: My employer has cancelled all employee travel but I want to go, in some cases to a conference, in the other on sales calls to a potential whale of a new customer – and how hard is that opportunity to ignore?

And if you go, you just may ride in a private plane!

Whoa, who saw this coming – but who saw the head of the Port Authority diagnosed with coronavirus?

First off: as for my plans I still have travel on my to-do list and I have no plans to cancel. But I have made no firm commitments to air, that is, I am hanging loose. My advice to all travelers is similar. Make bookings that can be cancelled easily, certainly that can be changed without fees (and many air carriers are offering that flexibility). Right now we are deep in the age of the unknowns so operate accordingly.

I will not tell you what to do however.

But can your employer? Should your employer? Should you listen?

Let’s tackle the easy question first. Probably an employer can in fact force an employee to travel, even in an era of coronavirus, but it would be unwise to force employees to go to, say, China or South Korea. Noted employment lawyer and Forbes contributor Tom Spiggle, “Employers need to think about how it will look when they are forcing employees to travel to countries that the Centers for Disease Control and Prevention (CDC) and the U.S. Department of State warn people not to travel to.”

China is effectively a no per the US Dept of State, and South Korea isn’t much better.

In the New York Post, employment columnist Greg Giangrande tackles the question, can an employer force an employee to go to Italy which by the way is singled out for a CDC Travel Health Notice which says avoid all non essential travel. Giangrande’s advice: “Even if the chances of contracting the virus are remote, given the current travel restrictions and government advisories, you have every right to decline and not suffer any recrimination as a result. “

But here’s the deal: I am actually hearing more from employees who want to travel than from those who don’t – and yet a growing number of cautious employers are banning employee travel, from 21st century behemoths such as Amazon to legacy employers such as Ford. Part of the logic is that a traveling employee could pick up the virus – then infect the workpace when he/she returns.

But that employee could pick up the virus in the supermarket, at a movie theater, in a shopping mall, at a house of worship – the list goes on and it’s not only in travel that our chances of exposure rise. Yes, we have greater risks in many foreign countries (here’s the CDC data, here’s WHO’s). But coronavirus definitely is spreading in the US.

What do you do if your employer says stay at home?

Face reality: such policies usually aren’t hard and fast. If you have a chance for a face to face with a heavy hitter in Italy, say, or New York – and you are comfortable with the risks (and have researched the facts) – my advice is go to your boss, lay out the case for going, offer up a fallback if in fact you get infected (“I’ll self quarantine and will work at home for as long as it takes” – or whatever prescription will work in your company) and very probably you will get an okay to go.

My experience with companies, Fortune 25 and 15 person businesses alike, is that there are rules and then there are the exceptions. If you want to be the exception, come up with the argument, state it succinctly and you just may get the green light.

Don’t ask to go to conferences – they are on just about every company’s don’t lists. But a good sales call, an intimate meeting with a small group of heavy hitters, a potential merger or acquisition target – those remain reasons travel will be approved.

And maybe make a grab for approval of travel by private plane. Am I nuts? Know that many, many executives are fleeing common carriers in an age of coronavirus and flying private because it’s perceived as the healthier way to fly. Rates are up, but what price health?

Merger Madness: Are credit union – bank mergers just plain wrong?

by Robert McGarvey

When a credit union buys a bank, has something terribly wrong happened?  Listen to bankers and you will think the answer is a loud yes.

Even some credit union veterans agree.

But it is the bankers who right now are creating the loudest noises.

Are they right? Why are these mergers occuring at all?

First off, some perspective. In 2019 there were exactly 16 credit union-bank mergers.  There were 271 bank-bank mergers.

And yet here is the Independent Community Bankers Association shouting that the Devil is at the door, or words to that frightened effect: “ICBA and the nation’s community banks are calling on Washington to stop pressing the snooze button and wake up to the risks of aggressive, growth-obsessed credit unions and the costs of their taxpayer-funded subsidies,” ICBA President and CEO Rebeca Romero Rainey said. “With credit unions abandoning their founding mission in the name of expansion and risky lending, it is long past time for Congress to level the playing field between community banks and credit unions while reining in the National Credit Union Administration’s expand-at-all-costs agenda.”

The ICBA also announced a Wake Up campaign to warn the public about the perceived dangers of the tax exempt status of credit unions.

And yet, in a conversation with Keith Leggett, longtime senior economist of the American Bankers Association, now retired but who still writes his Credit Union Watch column, Leggett told me that when a community bank does a deal with a credit union it is because the bank is out to get the best deal for its shareholders and when that is a credit union, so be it.

Continued at CUInsight

They Are Still Stealing Your Loyalty Miles and Points

By Robert McGarvey

Call it deja vu all over again: A March 2, 2020 Travel Weekly headline screams: “Latest targets of fraudsters are hotel and airline loyalty points.”

I first recall writing about this in 2014: The Hilton HHonors Hack: Loyalty Programs Under Siege and How to Protect Yourself.   

Again in 2015: United’s MileagePlus, American’s AAdvantage Loyalty Programs Have Been Hacked.

I wrote about it most recently a year and a half ago in this space: Do You Know Who’s Stealing Your Airline Miles?

You might think the bad news is that nothing has changed. You’d be wrong.  The worse news is that, yes, nothing has changed and cyber thieves – knowing we now have so many ways to accumulate miles and points – are more energetically emptying out our accounts because, apparently, neither hotels nor airlines have done much to batten those hatches and secure their loyalty program against pickpockets.

What’s the allure for crooks? As I wrote in the Hilton story six and one-half years ago: “Huge buckets of Hilton points – sometimes in the hundreds of thousands – have shown up in hacker bazaars, where one vendor, for instance, offered 250,000 points for $3.50. At the Hilton shopping mall, an Apple iPad Air 64G is yours for 489,000 points – so at that criminal exchange rate, maybe $7 (payable in Bitcoin) will grab it. There are other, reported cases where around $10 in Bitcoin bought enough points to claim over $1,000 in hotel room nights.”

What a deal.

The Loyalty Security Association meanwhile estimates that 1% of airline mile redemptions are fraudulent.

But that number may be growing, oddly in part because of a consumer friendly gesture on the part of carriers. Reported Travel Weekly, “Jeff Wixted, vice president of product management and operations for Accertify, an American Express subsidiary that provides fraud-prevention services, said loyalty fraud has especially accelerated in the past 15 to 18 months, with fraudsters buoyed recently by the growing trend among airlines to do away with point expirations.”

That of course meant there are more miles to steal from more inattentive consumers.

Wixted added that the value of US loyalty accounts is around $100 billion.

US consumers belong to some 3.8 billion loyalty programs, according to Clarus.  54% are inactive and those dormant accounts of course are prime for thievery.  If you haven’t checked your Delta account in years, would you even notice if miles had been pilfered?  Of course not.

I know I wouldn’t and, yes, over the years I’ve left multiple airline and hotel loyalty accounts go fallow and I have no idea if the zero balances I see are because the vendor wiped the account after X months of inactivity or if an enterprising thief hoovered them out.

Amex’s Wixted, by the way, predicted to Travel Weekly that the value of loyalty fraud will eventually eclipse the value of credit card fraud.

As for how criminals get our loyalty program details, the surest answer is the many breaches suffered by travel companies.  From Starwood to BA, there have been massive breaches involving hundreds of millions of us, probably billions of us all accounted.  

Experts warn that many of us also fall victim to phishing schemes – where we get a tasty offer from what appears to be a known travel provider, we respond with our program details and they are off to the races, while not only don’t we get the proferred deal, our loyalty balances are emptied out.

Criminals also are known to erect sham great deal pages where they harvest credit card and loyalty program info from bargain hunters who stumble in and can’t resist a prime New York hotel room at $49, for instance.

Know this: smart crooks increasingly are determined to rob our loyalty points and miles and they are succeeding at this larceny.

That does not mean the situation is hopeless.

Here’s our best defense: check loyalty programs regularly. My habitual practice was to review an account only when I wanted to cash in miles or points.

No more. Now I check the few accounts I  have decided to maintain – three airline programs, two hotels, one credit card – monthly. I do not rely on the hotels and airlines; their track records don’t breed confidence. So I provide my own vigilance.

Nope, I have detected no fraud.  

You might want to check more often, or maybe quarterly.  A right answer varies with how many miles and points are at stake.  And what those balances mean to you.

But accept this: in 2020, protection of our loyalty balances is on us.  

CU 2.0 Podcast Episode 81 Keith Leggett and Bank-Credit Union Mergers and Dancing with the Devil

by Robert McGarvey

When a credit union buys a community bank is that dancing with the devil?

Welcome to the CU2.0 podcast with your host Robert McGarvey. Today’s guest Keith Leggett, now retired Chief Economist with the American Bankers Association who still actively writes his blog, Credit Union Watch.

The topic of the talk: bank – credit union mergers.

Some banking experts are up in arms about these mergers.  Not Leggett.  He says community banks that are up for sale generally are looking for the best valuation and credit unions, in some cases, are exactly that as they seek to add new business capabilities – especially in business lending – and a fast route to that capability is buying the right community bank and retaining key staff.

On that note. listen to the CU 2.0 podcast with retired SECU CEO Jim Blaine, whose ideas are referenced by Leggett. We also discuss Maine Harvest, a new charter, and Leggett points to research on credit union bank mergers via Filene, also the St. Louis Fed.

Numbers to remember. In the past two years there have been around 400 bank – bank mergers. There have been around 20 bank – credit union deals.

Meantime, Leggett tempers his positive perspective on bank – credit union deals by saying there needs to be a two way street, that is, the regulator needs to lighten up about credit unions selling out to banks.

Why do bankers so often loudly scream about bank mergers with credit unions? A lot has to do with association politics, says Leggett, who adds that there’s always a stronger response when a wolf is said to be at the door.

Listen here

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email

Find out more about CU2.0 and the digital transformation of credit unions here. It’s a journey every credit union needs to take. Pronto