Marriott Says Hackers Stole More Than 5 Million Passport Numbers

Marriott has downsized its original estimate on a major data breach, but the number of people affected is still historic. The hotel group announced Friday that it now believes hackers accessed the records of up to 383 million guests, following an investigation it conducted with a forensics and analytics team. In November, it had reported an estimate of as many as 500 million guests. From a report: Even at that lower figure, the Marriott incident remains one of the largest personal data breaches in history, more than double that of Equifax, which exposed the personal data of 147.7 million American. Data breaches have become a common issue for massive companies that collect and store information on millions of people. In 2018, tech giants like Facebook and Reddit have fallen victim to data breaches. Hackers look for poor protection that they can bypass to steal valuable details like Social Security numbers, birth dates, email addresses and credit card numbers.

They weren't stolen

A hacker tricked the reservation computer into thinking they were uber-platinum-elite guests, and the hotel concierge put the data on a gold-encrusted USB stick in their welcome bag.

Sue them senseless

[nospam007]

They deserve it.

Re:Sue them senseless

[TheGratefulNet]

just WHY does a hotel need to know your PASSPORT number?

that boggles the mind.

yesterday, I was talking to an indian friend and we were talking about privacy and how much info you are willing to give out. I give out NOTHING unless its really needed; he gives anything you ask. he didn't even understand why it would be a problem to not give out info. I think in india, they are so programmed into following the rules and not challenging authority. when they come here, they continue doing the same and the companies that invade your privacy probably LOVE this.

as an american, born and raised here, I continue to explain WHY you want to say no to almost all info request and to limit who gets what, but its an uphill battle. the 'Ive done nothing wrong...' argument is still strong with many kinds of people and we need to change this FAST or we'll continue to supply data to bad guys, who will wield it over us. (btw, the bad guys include local governments; they also can't be trusted with all the info we give them).

many foreigners don't understand even even born/raised americans are still not getting it. we need to change this but I'm not sure how we can teach people responsible 'info mgmt' behavior. with one breach after another, even that is not enough to show people that they need to say no to data from corps.

Re: Sue them senseless

Of course, that is the one thing I have been saying forever.

Re:Sue them senseless

[froggyjojodaddy]

I *think* it's because some countries/jurisdictions require the hotel to capture certain details, including the passport number. So they're obligated to get it, but clearly they didn't think ahead and actually store that data appropriately

Actually, what's more likely is:

Boss We need to capture Passport info to be in compliance with blah, blah
DB admin/Developer No problem, we need a secure database back end with limited access, auditing capability, and secure.....
Boss No, what? No! We don't have money or time for that. Just make it happen
DB admin/Developer But this goes against every principle of data management and storage. What if I just...
Boss Listen, you're making this overly complicated OK? We're not going to get hacked, just put in an exclamation mark in the regular password I use, Ok?

A few months later, they get hacked. Developer bears the brunt of the fallout. Boss goes on a nice vacation courtesy of the huge bonus he received a few months prior for "implementing a method to remain compliant with blah, blah law"

Re:Sue them senseless

[OffTheLip]

I have stayed at a number of hotels in Eastern Europe, central Asia and the middle east where your passport was required at check-in. I assume they scanned it into their system.

Re:Sue them senseless

Be prepared to show damages.

Oh, but you can't.

They'll give you a free credit monitoring subscription for a few years. End of story.

The credit monitoring will, in the court's eye, cover and mitigate any damages you could possibly propose.

Re:Sue them senseless

So... what can you do?
Say, you travel to Italy and check in to Marriot hotel where you reserved 3 months ago. They require your passport to verify your identity. Will you leave the hotel and find another place until you can find one that doesn't require a passport? Will you stand there and fight with them to accept your face as your identity?
Airbnb? They want access to your facebook contents. Oh, if you have not enough history with that facebook account, they'll require other means to verify your identity.
So, how do you exactly say no?
Where will you stay?

Re:Sue them senseless

[holophrastic]

Because we don't teach people, in kindergarten, not to give out their personal information to anyone who asks for it.

Oh wait, we do. We say: "don't talk to strangers" and we say "don't put your name on your backpack" and we say "don't tell strangers where you live".

okay, let's rephrase:

Because we don't teach adults to remember what they learned in kindergarten.

Oh wait, we do. We say: "everything important, I learned in kindergarten".

okay, let's rephrase:

because people are idiots. I blame radio shack. they're the one's that started all of this.

so the solution is the same as it's always been. we get to wait until the problem is big enough, and then we get to regulate. yay!

hey marriott, you aren't allowed to hold any customer data for more than a week past the end of their stay. you don't need it.

Re:Sue them senseless

[b0s0z0ku]

The advantage of Eastern Europe and central Asia is that some money can sometimes change hands and pesky requirements for things like passports will go byebye.

Re:Sue them senseless

[b0s0z0ku]

If you plan ahead a bit, you can use Craigslist or similar short-term rental sections. Much less intrusive than things like AirBnB since it's essentally an anonymous transaction.

Re: Sue them senseless

I suppose if the hotel is In a certain type of country they may say they need your passport or number. Hotels in the US do not I assume, if you are a citizen?

Re:Sue them senseless

[geggam]

Certain countries require you give your passport information to the hotel

Re:Sue them senseless

[religionofpeas]

The problem is not giving out your passport number. The problem is that some people/businesses consider a passport number to be an authentication device.

Re:Sue them senseless

What's much more likely is the DBA will refuse to have a meeting with the Boss and will force the conversation into e-mails, or will require before doing said bad thing, to have the boss respond or sign a written plan.

Then when shit goes downhill, they wait to be fired for it after cordially reminding them it was their bosses requirement. When they get fired, they go see a lawyer, and ensure it's part of the public record they got paid in a lawsuit for wrongful termination and ensure said letter was part of the public record.

That's how its done. Don't be the sap or the victim.

Re:Sue them senseless

and do they require the hotel to store that data forever?

Re:Sue them senseless

Exactly. In a different context we'd all be yelling "but information should be free" or "you can't own a number" or "you're only perpetuating the International Civil Aviation Organization cartel" or "fuck passport trolls".

I mean, seriously, I'd be willing to bet I have a lot of those passport numbers on a hard drive somewhere already.

Re:Sue them senseless

actually the problem is requiring these king of crap for anything including taking a stupid plane

Re:Sue them senseless

Maybe it's just me, but I've only had that type of thing happen with multiple levels of management/departments involved; usually after explaining to my boss he goes "hmm. I see. We'll have to escalate this to get (whatever it is we need)" followed by it being promptly denied by finance, leaving both of us trying to duct tape at least something together to not get fired for failure to complete goals.

Re:Sue them senseless

[DickBreath]

> They deserve it.

It's not ONLY that they deserve it. (which they do!)

It's that the only way to fix this is to make it way more expensive to get hacked than it would be to prevent getting hacked. Maybe with a side order of jail time for senior executives.

And you don't sue them senseless. You sue some sense into them.

For extra security, the security staff should wear the t-shirts inside out to protect the root password from public view. Thank you, the management.

Re:Sue them senseless

[BitterOak]

I *think* it's because some countries/jurisdictions require the hotel to capture certain details, including the passport number.

Which countries/jurisdictions? I'd honestly like to know so I can avoid them.

Re:Sue them senseless

[thegarbz]

just WHY does a hotel need to know your PASSPORT number?

Legal requirements for serving foreigners in most countries in the world combined with the concept of having a common database for guests rather than a unstructured garbled mess.

many foreigners don't understand even even born/raised americans are still not getting it.

Many foreigners live in countries where your entire life doesn't get royally screwed up just because someone knows your 9 digit number.

Re:Sue them senseless

[AHuxley]

Different nations have police registration for tourists. This allows police to quickly track everyone in their nation as they are citizens/approved tourists/ people allowed to be in that nation.

Re:Sue them senseless

Certain very popular Middle Eastern locations (and other international locations) are required to work with the local embassy to ensure safety protocols are taken. These protocols almost indefinitely include verifying passports for non-citizens. The collection is standard practice in the hotel industry in these locations

Re:Sue them senseless

if I recall, I think China is one of them.

Re: Sue them senseless

[houghi]

I went to these countries. I went to the identical hotel after a week. They saud hello, called be by my name said "we have the same room for you" and asked for my pasport again, because they DID NOT KEPT THE DATA.

Not happened in even one country or in chain of hotels. Due to reasons I had to travel a lot in the last two years.

Saving that data is nit obligatory. It happens on request of the lazy customer who can notwait 30 seconds to reach his minibar.

Re: Sue them senseless

[houghi]

The probleem is that people want it. They like to get the 30 seconds of nit handing over their passport.

Re: Sue them senseless

they DID NOT KEPT THE DATA

If you're going to "shout", at least make it grammatically correct.
After the auxiliary verb "did/n't" you need to use the infinitive "keep", so they didn't KEEP the data.
This in contrast to the auxiliary verb "have/n't" where you do use the past principle "kept", so they haven't KEPT the data.
I often hear this error made by our French speaking colleagues. They are always blissfully unaware, but to me it sounds like playing the wrong note in a well known song.

Re:Sue them senseless

All EU countries - yes
US - yes (Requirements on amount of information differ by state)
China - yes
Korea - yes
Thailand - yes
Ukraine - no... at least they did not ask me, but they did require a deposit for the room that i paid for with a CC (so maybe that was enough for identification?)
Serbia - yes
Croatia - yes
Mexico - was a few years ago, but think i just showed my id and the room was pre-paid.

Requirement for a passport is most likely due to national ID cards are not valid as valid identification in other countries, but passports are. Passport number is a single way for them to refer to a person, and a semi-secure way since those number are renewed every few years, but still traceable.

What i do wonder is why they need to store the passport-number after a guest has checked out.. Would it not be enough to keep it for a maximum of 2-3 month's after checkout or so?

** Disclaimer.. some of the listed countries (except for US and EU) may not have laws, but may just have been hotel policies.. Just listing what i have experienced.

Re:Sue them senseless

Vietnam - inn keepers are required to report to the local police station the particulars of foreigners that will be staying with them that evening and for how long.

You have to remember that it's a country run by a Communist government.

Re:Sue them senseless

[0111+1110]

I can't use AirBnB because it requires me to photograph my passport but it never accepts the result. It rejects the passport image every single time I try it. Maybe it requires a $700 phone camera. My phone only cost $160. I wonder how many potential customers they have lost because their phone is not a high end flagship with a Leica lens.

Track Down and Kill...

...All Hackers, Virus creators. etc.

Why is it no resources are ever expended on finding these people and instead spent on an ever expanding effort to block them?

"You steal shit, and we will come for you" should be the motto of law enforcement. Not, "Steal shit and I'll buy newer locks".

Re:Track Down and Kill...

[DickBreath]

Try this: Offer a bounty / reward program for information leading to the arrest of the hackers. If you make it high enough, you will attract the time and attention of people with sufficient expertise to track them down.

Yes, it may sound like outsourcing police work. But if it works, and doesn't require lots of donuts, then I don't see a problem with it.

Re:Track Down and Kill...

[godel_56]

...All Hackers, Virus creators. etc.

Why is it no resources are ever expended on finding these people and instead spent on an ever expanding effort to block them?

"You steal shit, and we will come for you" should be the motto of law enforcement. Not, "Steal shit and I'll buy newer locks".

The perpetrators of APTs (Advanced Persistent Threats) are the employees of major enemy governments such as Russia, China, and North Korea and they are resident in their home countries. So you go get 'em, boy.

WHY do you need my passport number??????

When did hotels become customs and immigration officers? Why are you recording the information from my drivers license and passport? Why do you need my email address and mobile phone number?????? Why do you need the registration information of my rental car??????

Re:WHY do you need my passport number??????

[b0s0z0ku]

I can understand the driver's license or passport info -- if you cause damage to the hotel and your card doesn't cover it, they want to know who to bill.

Re:WHY do you need my passport number??????

[Local+ID10T]

OK. I'll bite and try to give real answers.

When did hotels become customs and immigration officers?

They are not.

Why are you recording the information from my drivers license and passport?

Because the law requires it.

Why do you need my email address and mobile phone number??????

To contact you. Email is for non-urgent communications -e.g. reservation confirmations and copies of your bill (and likely for marketing spam). Mobile phone is for urgent communications -e.g. (water leak / fire / burglary) affecting your room and possessions while you were out.

Why do you need the registration information of my rental car??????

To identify which cars in the parking lot are from registered guests. Perhaps there was an accident involving a parked car -would you rather get a call from the front desk, or just be surprised when you go to leave? Perhaps there was a hit & run, and the police tracked the car to this hotel...

Re:WHY do you need my passport number??????

Not some local idiot after all.

nothing will happen

no fines, no one jailed, nothing. business will continue as usual

It's as if PCI compliance does not exist. Well it doesn't, no one gets in trouble for shit.

Fuck PCI compliance with a big rubber dick.

Re:nothing will happen

We need more neck beards in their mother's basements to be found dead of lead poisoning.

Add to that MOABs dropped on Chicom hacker labs.

Re:nothing will happen

[b0s0z0ku]

Using a passport for ID is common in Europe, less so in the US. Sounds like Marriot is due for a good fucking from EU countries, which actually have and enforce privacy laws.

Re:nothing will happen

What does PCI (which governs the proper storage of payment card details) have to do with proper storage of passport information or other related personal information? PHBs out there will make sure that your data is stored as unsecured as possible because it is cheap to do so.

Re:nothing will happen

They cross over, as PII compliance. See more here. I think the sentiment is sensitive data is being that is supposed to be secure under compliance and nothing happens when it's leaked.

Why?

Why does a hotel chain store passport numbers of its guests? Even if they legitimately do need the information for some reason, shouldn't it be deleted after a short period of time?

Re:Why?

[b0s0z0ku]

Because they can and don't have to delete it -- so their systems are set up not to. It should be really deleted after a few days, after it's proven that there's no damage to the hotel from guests.

5 million x $1,000 fine each, ouch

Do it!

These massive hacks are happening at an increasing rate.

We need to make an example of them.

Side note, why in God's name does Marriott need to store people's passport info?

Re:5 million x $1,000 fine each, ouch

[FormOfActionBanana]

It's not 5 million. 500 million.

Easier said than done

[DogDude]

In the US, a lawsuit is, minimum, $100K.

row count on their database returned

Their investigation consisted of select count(*) where created < ${discovery_date}

Some data should be stored offline

[davidwr]

If the law requires you to collect data that you don't need for business purposes, don't store it on a connected computer.

Scan the passport with a non-networked scanner but store the image on the scanner itself or offline for as long as the law requires, then delete it.

Make sure that the scans are encrypted and that they can only be decrypted with a key held off-site by corporate security. That way a clerk can't bulk-copy the scans that are stored on-site.

There is still one hole that can't be fixed: Any clerk that handles a particular passport can make a surreptitious copy for his own use using his own camera. If he has a photographic memory, he can just memorize it. The damage from this method is a lot less than a bulk-data-compromise.

Re:Some data should be stored offline

[TechyImmigrant]

My wife's business collects sensitive information - E.G. credit card info for billing customers, but there's quite a bit else. After going through the options, we decided that this stuff would get written in a book. If hackers got in, they wouldn't find much of value to them.

The cost is you have to punch in the numbers into the card machine when fulfilling order. The saving is a reduction in PCI-DSS scam audits to pay for and peace of mind.

Re:Some data should be stored offline

[thegarbz]

Holy crap can you come up with any more complicated and expensive to run and maintain system? I'm sure Marriott would rather go bankrupt due to fines and being sued rather than high overhead costs of ill conceived security measures.

Re:Some data should be stored offline

The hotel I stay at in China employs a photocopier for this purpose.

LOL

Who gives their passport to a hotel? Hell no. They want a credit card, ok sure. They want my DL#...only if I have to. If they want my passport or SSN they can fuck right off. ABBs in the area will get my business before I give a hotel my international travel documents or my retirement policy number.

Re:LOL

[b0s0z0ku]

DL actually gives the snooping assholes more information than a passport -- passport doesn't have an address on it, so you can lie about your home address if you want to give as little info as possible.

Re:LOL

Who gives their passport to a hotel?

Visitors to countries where *the law requires them to do so*, as has been pointed out numerous times already in this discussion.

Blockchain Justification

Blockchain justification for sure.

Of course it is a step too far at the moment as any single id or number does not have much authenticity if a third party reads it directly rather than using a public private key back to the issuer so how could they jump to a blockchain?

It is frustrating but really why do they care so much about it?

No, Hackers did not steal

Marriott GAVE away their customers info by not properly securing the data.

That is criminal negligence and occurred prior to the bad hackerz.

This could be useful

[gnasher719]

The U.K. government has plans that you need to supply a passport number soon to watch porn. What an opportunity: 5 million passport numbers that you can sell one each to five million privacy-conscious Brits who donâ(TM)t want their porn habits leaked.

Looks like China is building dossiers on US people

OPM, Equifax, Marriott... Our Lack of privacy to benefit business is going to come back to bite us if we get in a war with China.

“When it comes time to hang the capitalists, they will vie with each other for the rope contract.”
—Major George Racey Jordan.

Maybe the Alibaba credit system could be hacked.

Marriott tried to block cell communications right?

[140Mandak262Jamuna]

Didn't they use jammers to prevent people in their conference halls from getting wireless data and thus they could be charged for WiFi?

Suing Marriott will hurt the present stock owners. Need to put a few executives who approved and supervised the data centers, even if they have resigned from the company, in jail. Only then they will take security seriously. As it stands now, they cash in and leave before the shit hits the fan making bag holders out of shareholders.

Re:Marriott tried to block cell communications rig

The Marriott family are Mormons, and as such, I won't ever give them a dime of my money. From what I understand, they are heavy donors to the LDS. No thank you.

Stop storing my damn information.

Stop storing my damn information.

Re:Marriott tried to block cell communications rig

[b0s0z0ku]

Marriot also owns Doubletree -- recently a Black man was ejected from a Doubletree in Portland for not interrupting a phone call with his family to "prove" that he was a guest there. Never mind that he showed his room key to the hotel's rent-a-cop, apparently that wasn't enough.

Re:Marriott tried to block cell communications rig

It's sad that we're 170 years out from the Civil War and black people are still treated like animals. It's better up in the the NE, but here in the south, it's still a real thing. Texas here, and an anecdote. I was at a gun store looking at some new pieces. A well-dressed black man came in and the stiffness of the store guys was palpable. They acted almost as if he was a criminal. He asked to see a couple of pistols and they basically acted as if he wanted one only because he had ulterior motives. I would have loved to get that man's take on what he felt. He left without buying. I have never gone back there.

This. A thousand times this.

Track Down and Kill All Hackers, Virus creators. etc.

This. A thousand times this. We are at war, and our enemies are winning. Time for those implementing the attacks and wreaking the damage to pay the price all such warmongers should pay (and many, in traditional wars, do), an abrupt, preferably painful end to their tiny pathetic lives.

If hackers feel the fear of death every time they type a command (or click a script-kiddy icon), maybe they'll think twice before going to work for/bending over for Vlad.

Marriott also has physical security issues

[schwit1]

https://www.youtube.com/watch?...

For your own protection in mat be better to stay someplace else.

Re:Marriott also has physical security issues

I stay in two hotels a week, usually Marriotts but not always. I can tell you that the vast majority of what I've seen of their 7k hotels are nothing like this. Everyone has their cat1 hotels

Re:Marriott tried to block cell communications rig

Marriott does not own Doubletree, that is Hilton. The simplest search query would've told you that

Re:This. A thousand times this.

Oh... You just threatened the CIA, FSB and basically every single country's security-service ... watch out...

It would be a lot better to go after people gathering, and not protecting, other peoples information. If i where to personal information and keep on paper i would be required to store it in a safe and secure location to prevent unauthorized people to access it... Now they store this same information *unencrypted* (encrypting the data with a key that's also available on related systems is not really protecting it) and connected to the internet for ease of access. ..

If you want to keep a history available, containing personal information, online then encrypt the sensitive data with public key encryption and only store the public key on the server. If you ever need to access the encrypted data you either go to the security-department to have it decrypted.