Marriott Failed to Encrypt More Than 5 Million Passport Numbers Taken in Hack

Jan 4, 2019

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Marriott executives said on Friday that the hotel chain’s massive four-year breach of its Starwood reservation database did not affect as many customers as it had originally thought. The world’s largest hotel chain lowered its estimate of customers with personal information stolen to about 383 million, down from 500 million.

But just as noteworthy was Marriott’s disclosure that more than 5 million of its customers’ passport numbers were taken from its database had not been encrypted. Hackers took those passport numbers — along with approximately 20.3 million encrypted passport numbers — in a cyberattack that lasted from 2014 to 2018, which Marriott disclosed on Nov. 30, 2018.

“It’s not responsible to fail to encrypt information on passports,” cyber security expert Adam Levin told TPG. “Passport information is pretty sensitive. It’s pretty much like driver’s license information, and fake passports — that’s a big business.”

Passport numbers can be used in conjunction with other pieces of personal information to commit identity theft. They can also be used to track US citizens entering and exiting other nations.

“Even if it was 100,000 passports — that’s big — and we’re talking about 5 million,” Levin said, noting that Marriott didn’t take action in preventing information theft for its customers. “You’re not minimizing the risk of exposure of people who have voluntarily handed you information and trusted you with that information.”

Marriott has offered to reimburse travelers who have to pay the $110 fee to get a new travel documents as a result of the breach.

The passport numbers, along with approximately 8.6 million encrypted payment cards, are believed to have been taken by Chinese hackers as part of a widespread effort that experts believe is on behalf of China’s Ministry of State Security, which is the nation’s spy agency.

China-backed hackers have also breached US health insurers and security clearance files to steal sensitive information from millions more Americans, the New York Times reported.

US President Donald Trump’s administration is reportedly planning to declassify intelligence documents that show beginning in 2014, China has been building “a database containing names of executives and American government officials with security clearances.” These accusations have striking similarities to the details of Marriott’s breach: It also began in 2014, and the hackers encrypted customers’ personal information, creating their own database of Starwood guests’ data.

Marriott said Friday that it has officially phased out any use of the Starwood database, and all reservations are now processed through the Marriott system.

But Levin says this type of breach could happen again, as hospitality point-of-sale systems are a prime target for sabotage by hackers. “An industry which knows it is a target hasn’t been protective of the kind of information that it has,” he says.

If you’re information has been taken in the Marriott breach, you can read here how to protect yourself.

Featured image by Miguel Candela/SOPA Images/LightRocket via Getty Images.

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.