Data Loss Prevention (DLP) , Fraud Management & Cybercrime , Governance & Risk Management
After Mega-Breach, Marriott May Pay for New Passports
But Victims Must Prove Fraud for Hotel Giant to Cover Cost of New PassportMarriott International says some data breach victims may be able to claim reimbursement for a new passport if they experience fraud, the Washington Post reports.
See Also: Gartner Guide for Digital Forensics and Incident Response
A company spokeswoman tells the Post that if "we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport."
Marriott's announcement came shortly after Sen. Charles E. Schumer, D-N.Y., suggested the hotel chain should cover the $110 that it would cost breach victims to obtain a new U.S. passport. But it falls short of Schumer's demand that the company cover passport-replacement costs for any victim who requests it.
The data breach at Marriott compromised millions of travelers' U.S. passport info.
— Chuck Schumer (@SenSchumer) December 3, 2018
A new passport costs $110.
Marriott must personally notify customers at greatest risk.
And Marriott should pay the costs of a new passport for victims who request it. https://t.co/TAUvgELObZ
Massive Breach
Marriott's massive data breach, which exposed up to 500 million accounts for customers of its Starwood line of hotels, has been one of the biggest breaches to come to light this year. The breach has prompted a renewed focus on whether organizations are doing enough to protect consumer data and whether the penalties for failing to do so are sufficient (see: Marriott's Mega-Breach: Many Concerns, But Few Answers).
Attackers gained access to Starwood's guest reservation data from 2014 until early September, Marriott reports. Along the way, Marriott International acquired Starwood Hotels & Resorts Worldwide - which includes brands such as W, Sheraton and Westin - for $13 billion in September 2016.
Of the up to 500 million Starwood accounts exposed by the breach, for about 327 million accounts, the data exposure included a combination of name, postal address, phone number, email address, passport number, birth date and travel data. Also exposed for some of those breach victims were payment card numbers and expiration dates, although the card numbers were encrypted. Marriott, however, said it was unsure if attackers also accessed the data they would need to decrypt the card numbers.
For the remaining 173 million accounts, exposed information included a customers' name and sometimes other data such as mailing address, email address or other information, Marriott says.
State Department Weighs In
The proliferation of data breaches has posed a huge problem for consumers because often, the stolen data - such as Social Security numbers, passport numbers and driver's license numbers - rarely gets changed.
The Social Security Administration will replace numbers in certain circumstances, such as if someone is a victim of identity theft or harassment. But anyone who wants to get a new Social Security number must provide a statement describing their reasons, together with "credible, third-party evidence," the agency says on its website.
U.S. passports for adults are valid for 10 years. When the passport gets renewed, the passport number gets changed.
The State Department says in a statement on its website that "U.S. passport book and passport card are highly secure documents with numerous security features designed to prevent successful counterfeiting."
A passport number alone isn't enough for someone to gain entry into another country without a physical document, the department says.
The State Department also notes that none of its records or IT systems are connected to those of Marriott. "No one can access our records or obtain copies of a U.S. citizen's records by using a passport number," it says.
Reimbursing Victims' Costs
Marriott's offer to pay for replacement passports of those who have experienced fraud is an interesting twist on the standard offer of prepaid credit monitoring services.
Many breached organizations now offer prepaid subscriptions for services that monitor for potential identity theft and related fraud. While that is helpful, it's a defensive move, rather than being a pre-emptive one.
Organizations typically have not offered to cover the cost of replacing documents that were compromised by breaches. But in some cases, such as the Target breach, financial institutions that have been forced to reissue payment cards have been able to recover some of their expenses.
In the case of Marriott's breach, it's unlikely that all 327 million accounts for which a passport number may have been exposed actually had one on file. Even so, passport-replacement costs could still represent an enormous hit to Marriott if many of its customers claim that they've experienced fraud linked to the leak of passport numbers.
One unanswered question remains what kind of documentation Marriott might require of victims who claim that the leak of their passport number resulted in fraud. Marriott officials didn't immediately respond to a request for comment.