In the wake of a colossal data breach that compromised sensitive personal information, including some passport numbers, of hundreds of millions of guests, Marriott International has agreed to pay for passport replacements if the company finds that customers have been victims of fraud.
The breach, which took place over four years and affected 500 million customers, was unique not only for its scope but for the bevy of personal information hackers accessed through the reservation system of Marriott subsidiary Starwood: gender, birth dates, email and mailing addresses, and phone numbers. The hackers also accessed passport numbers for a “smaller subset of customers,” Marriott said.
While the State Department has said that its records and systems were not connected to Marriott’s and that a fake passport could not be created with a passport number alone, many experts and government officials have expressed concern that the passport numbers, in concert with the other personal data compromised by the hack, could pose serious risks of identity theft — and be a threat to national security.
On Sunday, Senate Minority Leader Charles E. Schumer (D-N.Y.) suggested that Marriott cover the $110 charge for customers requesting new passports after the breach. While Marriott believes the chance of hackers using passport numbers “is very low,” spokeswoman Connie Kim said in an email to The Washington Post, the hotel giant is willing to foot the bill in cases the company deems necessary.
“We are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident,” Kim said. “If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport.”
Hackers accessed the reservation system of Starwood hotels — whose brands include Sheraton, St. Regis and Westin — in 2014. The breach went undetected during Marriott’s acquisition of Starwood in 2016 and wasn’t discovered until early September of this year. After Marriott announced the hacking attack Friday, the hotel giant was deluged with criticism about its security practices and with questions about what it was doing to protect its customers.
New York Attorney General Barbara Underwood, Maryland Attorney General Brian Frosh and Pennsylvania Attorney General Josh Shapiro all said their offices had opened investigations into the Marriott breach. For many other government officials, the breach has become a rallying cry for stricter consumer privacy regulation.
“Checking in to a hotel should not mean checking out of privacy and security protections,” Sen. Edward J. Markey (D-Mass.), a member of the Senate Commerce, Science and Transportation Committee, said Friday. “Preventing massive data breaches isn’t just about protecting privacy, it’s also about protecting our pocketbooks. Breaches like this can lead to identity theft and crippling financial fraud. They are a black cloud hanging over the United States’ bright economic horizon.”
Marriott has set up a website and call center to answer questions at info.starwood.com, and said it is emailing affected guests on a rolling basis. The company is based in Bethesda, Md., and has more than 6,700 properties around the world.