Now I pose the question in the title asking, "Are Awards Accounts Secure?" This question stems from a problem I had last night with my Marriott award account. If you recall, my first stay with Marriott while in France on business, there was an issue with someone else's reservation linked to my account. At the time additional security was added to my account for call in.
Fast forward to last night when I looked at my phone and received a notification to review my stay in California. Opening my app, the fear that once again my Marriott account had someones reservation attached, was soon confirmed. A stay was currently happening with a completely different person than before.
Calling Marriott and working with a few different agents came to one conclusion, a private travel agency or business was attaching my awards number to random bookings. We are unsure why, or where they even got my number from, but there is little Marriott can do about this. They are investigating further on their end, but it seems to be an issue out of Marriott's control.
Now let me be clear, my account has not been compromised. I use very strong passwords and change them every time a breach happens that may have compromised my account. Calling in now has an additional level of security as well. So this is not an issue on my end. This does show a fundamental flaw in how rewards are handled. Since a rewards number can be added to any stay without any verification, then your rewards account can be attached to anything they use it on. To be fair, this is not solely a Marriott issue, it's industry wide.
Where the real issue comes in here is looking at my account. This person stayed under their real name presumably, I now know that information. Also, I now have their email address and even as far as the credit card processor and last 4 digits of their credit card number. Outside of that is the fact that I know where they are staying too. all of this adds up to what could be a serious issue.
I will not pretend I have the answer to this issue, but adding a pin, or a password may be helpful. Then again, that limits convenience and we are a society that dislikes inconvenience.