Data Loss Prevention (DLP) , Fraud Management & Cybercrime , Governance & Risk Management

After Mega-Breach, Marriott May Pay for New Passports

But Victims Must Prove Fraud for Hotel Giant to Cover Cost of New Passport
After Mega-Breach, Marriott May Pay for New Passports

Marriott International says some data breach victims may be able to claim reimbursement for a new passport if they experience fraud, the Washington Post reports.

See Also: Gartner Guide for Digital Forensics and Incident Response

A company spokeswoman tells the Post that if "we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport."

Marriott's announcement came shortly after Sen. Charles E. Schumer, D-N.Y., suggested the hotel chain should cover the $110 that it would cost breach victims to obtain a new U.S. passport. But it falls short of Schumer's demand that the company cover passport-replacement costs for any victim who requests it.

Massive Breach

Marriott's massive data breach, which exposed up to 500 million accounts for customers of its Starwood line of hotels, has been one of the biggest breaches to come to light this year. The breach has prompted a renewed focus on whether organizations are doing enough to protect consumer data and whether the penalties for failing to do so are sufficient (see: Marriott's Mega-Breach: Many Concerns, But Few Answers).

Attackers gained access to Starwood's guest reservation data from 2014 until early September, Marriott reports. Along the way, Marriott International acquired Starwood Hotels & Resorts Worldwide - which includes brands such as W, Sheraton and Westin - for $13 billion in September 2016.

Of the up to 500 million Starwood accounts exposed by the breach, for about 327 million accounts, the data exposure included a combination of name, postal address, phone number, email address, passport number, birth date and travel data. Also exposed for some of those breach victims were payment card numbers and expiration dates, although the card numbers were encrypted. Marriott, however, said it was unsure if attackers also accessed the data they would need to decrypt the card numbers.

For the remaining 173 million accounts, exposed information included a customers' name and sometimes other data such as mailing address, email address or other information, Marriott says.

State Department Weighs In

The proliferation of data breaches has posed a huge problem for consumers because often, the stolen data - such as Social Security numbers, passport numbers and driver's license numbers - rarely gets changed.

The Social Security Administration will replace numbers in certain circumstances, such as if someone is a victim of identity theft or harassment. But anyone who wants to get a new Social Security number must provide a statement describing their reasons, together with "credible, third-party evidence," the agency says on its website.

U.S. passports for adults are valid for 10 years. When the passport gets renewed, the passport number gets changed.

The State Department says in a statement on its website that "U.S. passport book and passport card are highly secure documents with numerous security features designed to prevent successful counterfeiting."

A passport number alone isn't enough for someone to gain entry into another country without a physical document, the department says.

The State Department also notes that none of its records or IT systems are connected to those of Marriott. "No one can access our records or obtain copies of a U.S. citizen's records by using a passport number," it says.

Reimbursing Victims' Costs

Marriott's offer to pay for replacement passports of those who have experienced fraud is an interesting twist on the standard offer of prepaid credit monitoring services.

Many breached organizations now offer prepaid subscriptions for services that monitor for potential identity theft and related fraud. While that is helpful, it's a defensive move, rather than being a pre-emptive one.

Organizations typically have not offered to cover the cost of replacing documents that were compromised by breaches. But in some cases, such as the Target breach, financial institutions that have been forced to reissue payment cards have been able to recover some of their expenses.

In the case of Marriott's breach, it's unlikely that all 327 million accounts for which a passport number may have been exposed actually had one on file. Even so, passport-replacement costs could still represent an enormous hit to Marriott if many of its customers claim that they've experienced fraud linked to the leak of passport numbers.

One unanswered question remains what kind of documentation Marriott might require of victims who claim that the leak of their passport number resulted in fraud. Marriott officials didn't immediately respond to a request for comment.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.