Marriott Failed to Encrypt More Than 5 Million Passport Numbers Taken in Hack

Jan 4, 2019

This post contains references to products from one or more of our advertisers. We may receive compensation when you click on links to those products. Terms apply to the offers listed on this page. For an explanation of our Advertising Policy, visit this page.

Marriott executives said on Friday that the hotel chain’s massive four-year breach of its Starwood reservation database did not affect as many customers as it had originally thought. The world’s largest hotel chain lowered its estimate of customers with personal information stolen to about 383 million, down from 500 million.

But just as noteworthy was Marriott’s disclosure that more than 5 million of its customers’ passport numbers were taken from its database had not been encrypted. Hackers took those passport numbers — along with approximately 20.3 million encrypted passport numbers — in a cyberattack that lasted from 2014 to 2018, which Marriott disclosed on Nov. 30, 2018.

“It’s not responsible to fail to encrypt information on passports,” cyber security expert Adam Levin told TPG. “Passport information is pretty sensitive. It’s pretty much like driver’s license information, and fake passports — that’s a big business.”

Passport numbers can be used in conjunction with other pieces of personal information to commit identity theft. They can also be used to track US citizens entering and exiting other nations.

“Even if it was 100,000 passports — that’s big — and we’re talking about 5 million,” Levin said, noting that Marriott didn’t take action in preventing information theft for its customers. “You’re not minimizing the risk of exposure of people who have voluntarily handed you information and trusted you with that information.”

Marriott has offered to reimburse travelers who have to pay the $110 fee to get a new travel documents as a result of the breach.

The passport numbers, along with approximately 8.6 million encrypted payment cards, are believed to have been taken by Chinese hackers as part of a widespread effort that experts believe is on behalf of China’s Ministry of State Security, which is the nation’s spy agency.

China-backed hackers have also breached US health insurers and security clearance files to steal sensitive information from millions more Americans, the New York Times reported.

US President Donald Trump’s administration is reportedly planning to declassify intelligence documents that show beginning in 2014, China has been building “a database containing names of executives and American government officials with security clearances.” These accusations have striking similarities to the details of Marriott’s breach: It also began in 2014, and the hackers encrypted customers’ personal information, creating their own database of Starwood guests’ data.

Marriott said Friday that it has officially phased out any use of the Starwood database, and all reservations are now processed through the Marriott system.

But Levin says this type of breach could happen again, as hospitality point-of-sale systems are a prime target for sabotage by hackers. “An industry which knows it is a target hasn’t been protective of the kind of information that it has,” he says.

If you’re information has been taken in the Marriott breach, you can read here how to protect yourself.

Featured image by Miguel Candela/SOPA Images/LightRocket via Getty Images.

Chase Sapphire Preferred® Card

WELCOME OFFER: 100,000 Points


CARD HIGHLIGHTS: 2X points on all travel and dining, points transferrable to over a dozen travel partners

*Bonus value is an estimated value calculated by TPG and not the card issuer. View our latest valuations here.

Apply Now
More Things to Know
  • Our best offer ever! Earn 100,000 bonus points after you spend $4,000 on purchases in the first 3 months from account opening. That's $1,250 when you redeem through Chase Ultimate Rewards®.
  • Earn 2X points on dining including eligible delivery services, takeout and dining out and travel. Plus, earn 1 point per dollar spent on all other purchases.
  • Get 25% more value when you redeem for airfare, hotels, car rentals and cruises through Chase Ultimate Rewards®. For example, 100,000 points are worth $1,250 toward travel.
  • With Pay Yourself Back℠, your points are worth 25% more during the current offer when you redeem them for statement credits against existing purchases in select, rotating categories.
  • Get unlimited deliveries with a $0 delivery fee and reduced service fees on eligible orders over $12 for a minimum of one year with DashPass, DoorDash's subscription service. Activate by 12/31/21.
  • Count on Trip Cancellation/Interruption Insurance, Auto Rental Collision Damage Waiver, Lost Luggage Insurance and more.
  • Get up to $60 back on an eligible Peloton Digital or All-Access Membership through 12/31/2021, and get full access to their workout library through the Peloton app, including cardio, running, strength, yoga, and more. Take classes using a phone, tablet, or TV. No fitness equipment is required.
Regular APR
15.99%-22.99% Variable
Annual Fee
Balance Transfer Fee
Either $5 or 5% of the amount of each transfer, whichever is greater.
Recommended Credit

Editorial Disclaimer: Opinions expressed here are the author’s alone, not those of any bank, credit card issuer, airlines or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Disclaimer: The responses below are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser’s responsibility to ensure all posts and/or questions are answered.