“Marriott must personally notify customers under the greatest security risk immediately and then foot the bill for those folks to acquire a new passport and number should they request it,” Schumer said in a statement Sunday. “Right now, the clock is ticking to minimize the risk customers face and one way to do this is to request a new passport and make it harder for thieves to paint that full identity picture.”
Marriott did not immediately respond to a request for comment as to whether it would be willing to pay for new passports. According to the State Department website, passport replacement fees are $110.
In the wake of the breach, the State Department said that its records and systems were not connected to Marriott’s and that a fake passport could not be created with a passport number alone. But as Schumer said, when used in concert with other personal information, they could present a serious risk to personal security.
“The experts will tell you, there is an art to identity theft and it lies in the ability to paint the most complete picture of the person whose information you’re looking to steal or sell,” Schumer said. “Unfortunately, for many travelers who have stayed in one of Marriott’s Starwood hotels, they’ve provided the company with an array of personal color — like their passport information — that thieves can now access to complete the canvass and assume or sell an identity.”
Hackers accessed the reservation system of Starwood hotels — which includes brands like Sheraton, St. Regis and Westin — sometime in 2014. The breach went undetected during Marriott’s acquisition of Starwood in 2016 and wasn’t discovered until early September of this year. In the years between, hackers encrypted and tried to remove information on 500 million customers. The breach is second in scale only to Yahoo’s 2013 and 2014 breaches, which impacted 3 billion accounts.
New York Attorney General Barbara Underwood, Maryland Attorney General Brian Frosh and Pennsylvania Attorney General Josh Shapiro all said their offices had opened investigations into the Marriott breach. And for many other government officials, the breach has become a rallying cry for arguing for stricter consumer privacy regulation.
“Checking in to a hotel should not mean checking out of privacy and security protections,” Sen. Edward J. Markey (D-Mass.), a member of the Commerce, Science and Transportation Committee said Friday. “Preventing massive data breaches isn’t just about protecting privacy, it’s also about protecting our pocketbooks. Breaches like this can lead to identity theft and crippling financial fraud. They are a black cloud hanging over the United States’ bright economic horizon.”
Marriott has set up a website and call center to answer questions at info.starwood.com, and said it is emailing affected guests on a rolling basis. The company is based in Bethesda, Md., and has more than 6,700 properties around the world.