Marriott International has agreed to pay $52 million and enhance its data security to resolve claims related to major data breaches that affected more than 300 million customers worldwide. The Federal Trade Commission (FTC) and attorneys general from 49 states and the District of Columbia announced the settlements.
The breaches, which occurred between 2014 and 2020, exposed passport information, payment card numbers, loyalty numbers, dates of birth, email addresses, and other personal information. The FTC alleged that Marriott and its subsidiary, Starwood Hotels & Resorts Worldwide, failed to secure their computer systems with appropriate password controls, network monitoring, and other practices.
As part of the settlement, Marriott will implement a robust information security program and provide U.S. customers with a way to request the deletion of personal information associated with their email address or loyalty rewards account number. Marriott has already made data privacy and information security enhancements.
In 2018, Marriott announced a massive data breach affecting up to 383 million guests, including unencrypted passport numbers for at least 5.25 million guests and credit card information for 8.6 million guests.
The FBI suspects that hackers working on behalf of the Chinese Ministry of State Security are behind the breach. https://apnews.com/article/marriott-data-breach-settlement-97534838b650bfc7a9e73a5336b2988e (Oct. 09, 2024).
Commentary
Many hotels require guests to provide passport information; ironically, to prevent identity theft and credit card fraud.
Many countries require hotels to collect identification information for guest registration. This helps maintain accurate records for law and immigration enforcement. Hotels also take passports to enhance security. This practice reduces the risk of crime and assists in the identification of guests in emergencies.
Passports help hotels, but also provide criminals, and in the case of the Marriott breach, a nation state, with valuable personal information about their holders.
Passport information, like other forms of government issued identity, can be used to open bank accounts, apply for loans, and even commit crimes in your name.
Passports are crucial for international travel. Criminals, terrorists and nation state agents often cross borders undetected using stolen passport information.
Unlike a drivers' license, a passport is not carried or used day-to-day. Consequently, when it is stolen, the theft is often undiscovered after a long period of time has elapsed allowing thieves more time to use the stolen information for ill will.
The final takeaway is keep your passport secure and report it immediately if it's lost or stolen. Taking preventive measures, like keeping it in a safe place and regularly checking its whereabouts, can help mitigate the risk.
