Following the discovery and public announcement of a massive data breach at Marriott's Starwood-branded hotels that compromised sensitive personal information—including some passport numbers, of hundreds of millions of guests—Marriott International announced the company will pay for passport replacements if it finds customers have been victims of fraud, according to The Washington Post.
The breach, which spanned more than four years and affected an estimated 500 million guests, encompassed a wide range of personal information that hackers accessed through the reservation system of Marriott’s subsidiary, Starwood. The primary customer information accessed by hackers included gender, birth dates, email and mailing addresses, and phone numbers. Payment information may have been accessed.
Marriott said the hackers also accessed passport numbers for a “smaller subset of customers."
While the State Department said that its records and systems were not connected to Marriott’s and that a fake passport could not be created with a passport number alone, many experts and government officials have expressed concern that the passport numbers, combined with the other personal data compromised by the hack, could pose serious risks of identity theft and may even threaten national security.
According to The Washington Post report, on Sunday, December 2, Senate Minority Leader Charles E. Schumer (D-N.Y.) suggested that Marriott cover the $110 charge for customers requesting new passports after the breach. The article from The Washington Post noted that Marriott believes the chance of hackers using passport numbers “is very low." A Marriott spokesperson elaborated on this in a statement to Meetings Today.
"As it relates to passports and potential fraud, we are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident," a Marriott International spokesperson wrote via email. "If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport."
The State Department posted the following update on its website about the Marriott data breach:
"We do not recommend reporting your U.S. passport lost or stolen if your passport number was compromised," the State Department notice, dated December 3, 2018, said. "You should only report your U.S. passport lost or stolen if the original, physical version of the passport book or passport card has been lost or stolen."
More information from the State Department on reporting U.S. passport or visa fraud is available here.
The Identity Theft Resource Center recommends contacting the National Passport Information Center at 1-877-487-2778 or NPIC@state.gov for more information about the steps that can be taken if you are concerned your passport number may be used by someone other than you.
Clarification From a State Department Official on Passport Security and the Marriott Data Breach
Meetings Today contacted the State Department for clarification on identifying and reporting passport fraud. Following is the response received by Meetings Today from a State Department official, in its entirety.
"We refer you to Marriott for specific questions regarding the data breach. With respect to U.S. passports, we would like to assure U.S. citizens that the U.S. passport book and passport card are highly secure documents with numerous security features designed to prevent successful counterfeiting.
"We are aware that some individuals’ passport numbers may have been disclosed, but would like to emphasize that none of the U.S. Department of State’s records or IT systems connect to Marriott’s records or systems. No one can access the Department’s records or obtain copies of a U.S. citizen’s records by using a passport number.
"Furthermore, no one can travel internationally using only a U.S. passport number. Travelers must present an original, physical version of a U.S. passport book or U.S. passport card upon entering a foreign country and when returning to the United States from a foreign country.
"We do not recommend reporting your U.S. passport lost or stolen if your passport number was compromised. You should only report it lost or stolen if the original, physical version of the passport book or passport card has been lost or stolen. We take this issue seriously, and are in contact with Marriott regarding this matter."
Investigations Opened Into Marriott Data Breach
Hackers accessed the reservation system of Starwood hotels, including brands like Sheraton, St. Regis and Westin, sometime in 2014. The breach went undetected during Marriott’s acquisition of Starwood in 2016 and wasn’t discovered until early September 2018. After Marriott announced the hacking attack Friday, November 30, 2018, the hotel giant was deluged with criticism about its security practices, and bombarded with questions about what it was doing to protect its customers.
According to The Washington Post report, New York Attorney General Barbara Underwood, Maryland Attorney General Brian Frosh and Pennsylvania Attorney General Josh Shapiro all said their offices had opened investigations into the Marriott breach. Other government officials have also commented.
“Checking in to a hotel should not mean checking out of privacy and security protections,” Sen. Edward J. Markey (D-Mass.), a member of the Commerce, Science and Transportation Committee, said Friday, November 30.
“Preventing massive data breaches isn’t just about protecting privacy, it’s also about protecting our pocketbooks,” he added. “Breaches like this can lead to identity theft and crippling financial fraud. They are a black cloud hanging over the United States’ bright economic horizon.”
Class Action Lawsuit Filed Against Marriott Over Data Breach
The law firm Murphy, Falcon & Murphy, along with co-counsel Morgan & Morgan, announced it had filed a class action lawsuit against Marriott International on Friday, November 30, 2018, "on behalf of over 500 million customers whose personal information ... [was] stolen." A press release issued by the law firm also called out Marriott’s failure to ensure the integrity of its servers and safeguard customers' personal information.
Since the public announcement of the data breach on November 30, Marriott has set up a website and call center to answer questions at info.starwood.com, and said it is emailing affected guests on a rolling basis.
Marriott is based in Bethesda, Maryland, and has more than 6,700 properties around the world.
Related Reading on Cybersecurity From Meetings Today: