[BreachExchange] Marriott will pay for new passports after data breach 'if fraud has taken place'

Destry Winant destry at riskbasedsecurity.com
Tue Dec 4 23:43:43 EST 2018


https://www.dailyherald.com/business/20181204/marriott-will-pay-for-new-passports-after-data-breach-if-fraud-has-taken-place

Following a colossal data breach that compromised sensitive personal
information, including some passport numbers, of hundreds of millions
of guests, Marriott International has agreed to pay for passport
replacements if the company finds customers have been victims of
fraud.

The breach, which took place over four years and affected 500 million
guests, was unique not only for its scope but for the bevy of personal
information hackers accessed through the reservation system of
Marriott's subsidiary, Starwood: gender, birth dates, email and
mailing addresses and phone numbers. The hackers also accessed
passport numbers for a "smaller subset of customers," Marriott said.

While the State Department has said that its records and systems were
not connected to Marriott's and that a fake passport could not be
created with a passport number alone, many experts and government
officials have expressed concern that the passport numbers, in concert
with the other personal data compromised by the hack, could pose
serious risks of identity theft -- and be a threat to national
security.

On Sunday, Senate Minority Leader Chuck Schumer, D-N.Y. suggested that
Marriott cover the $110 charge for customers requesting new passports
after the breach. While Marriott believes the chance of hackers using
passport numbers "is very low," spokeswoman Connie Kim said in an
email to The Post, the hotel giant is willing to foot the bill in
cases the company deems necessary.

"We are setting up a process to work with our guests who believe that
they have experienced fraud as a result of their passports being
involved in this incident," Kim said. "If, through that process, we
determine that fraud has taken place, then the company will reimburse
guests for the costs associated with getting a new passport."

Hackers accessed the reservation system of Starwood hotels -- which
includes brands like Sheraton, St. Regis and Westin -- sometime in
2014. The breach went undetected during Marriott's acquisition of
Starwood in 2016 and wasn't discovered until early September of this
year. After Marriott announced the hacking attack Friday, the hotel
giant was deluged with criticism about its security practices, and
with questions about what it was doing to protect its customers.

New York Attorney General Barbara Underwood, Maryland Attorney General
Brian Frosh and Pennsylvania Attorney General Josh Shapiro all said
their offices had opened investigations into the Marriott breach. And
for many other government officials, the breach has become a rallying
cry for arguing for stricter consumer privacy regulation.

"Checking in to a hotel should not mean checking out of privacy and
security protections," Sen. Ed Markey, D-Mass., a member of the
Commerce, Science and Transportation Committee said Friday.
"Preventing massive data breaches isn't just about protecting privacy,
it's also about protecting our pocketbooks. Breaches like this can
lead to identity theft and crippling financial fraud. They are a black
cloud hanging over the United States' bright economic horizon."

Marriott has set up a website and call center to answer questions at
info.starwood.com, and said it is emailing affected guests on a
rolling basis. The company is based in Bethesda, Md., and has more
than 6,700 properties around the world.


More information about the BreachExchange mailing list