The Willow Stream Spa in Victoria says its guest reservation database has been accessed by an unauthorized third party.
In an email Tuesday night to clients, the spa says it identified the unauthorized access on March 18, as the third party gained access using login credentials of an employee.
The business, located at the Fairmont Empress, says it is believed the activity started on or around Feb. 14, 2021.
The spa says types of personal information impacted, but not necessarily present for every guest involved, includes:
- A combination of guest names, mailing address, telephone number, email address and day and month of birth only.
- Medical information (to the extent previously provided by clients for the purpose of administering professional spa services).
- Date of upcoming appointment (if applicable).
- Payment card numbers and payment card expiration dates (database did not include CVV / CID code on the back of the card) (payment information not accessible in general database; accessible only in instances of an active booking).
The business says an investigation immediately began upon discovery of the breach, with heightened monitoring and resources to “inform and assist guests.”
Based on the investigation, the spa tells guests the incident only impacted the guest reservation database and since it is independent from other property systems and databases, “there is no reason to believe that other information related to hotel reservations and services, data related to ALL loyalty program or data from any other Willow Stream spa is at risk.”
The spa is also asking clients to be vigilant, finding fraudsters have been sending phishing emails to impersonate Willow Stream Spa.
“Willow Stream Spa will never request sensitive financial information from clients by email,” the guest letter said.
“You should only provide sensitive financial information over the phone if you have initiated the call to the Spa.”
Guests are advised to watch payment account statements and if you believe you are the victim of identity theft or your personal information is being misused, call you local law enforcement.
The business has set up a dedicated line for guests with questions about this incident to call at 250-995-3698 or 1-888-250-3698.