Marriott Says Hackers Stole More Than 5 Million Passport Numbers

Marriott has downsized its original estimate on a major data breach, but the number of people affected is still historic. The hotel group announced Friday that it now believes hackers accessed the records of up to 383 million guests, following an investigation it conducted with a forensics and analytics team. In November, it had reported an estimate of as many as 500 million guests. From a report: Even at that lower figure, the Marriott incident remains one of the largest personal data breaches in history, more than double that of Equifax, which exposed the personal data of 147.7 million American. Data breaches have become a common issue for massive companies that collect and store information on millions of people. In 2018, tech giants like Facebook and Reddit have fallen victim to data breaches. Hackers look for poor protection that they can bypass to steal valuable details like Social Security numbers, birth dates, email addresses and credit card numbers.

They weren't stolen

[Anonymous Coward]

A hacker tricked the reservation computer into thinking they were uber-platinum-elite guests, and the hotel concierge put the data on a gold-encrusted USB stick in their welcome bag.

Sue them senseless

[nospam007]

They deserve it.

Re:Sue them senseless

[TheGratefulNet]

just WHY does a hotel need to know your PASSPORT number?

that boggles the mind.

yesterday, I was talking to an indian friend and we were talking about privacy and how much info you are willing to give out. I give out NOTHING unless its really needed; he gives anything you ask. he didn't even understand why it would be a problem to not give out info. I think in india, they are so programmed into following the rules and not challenging authority. when they come here, they continue doing the same and the companies that invade your privacy probably LOVE this.

as an american, born and raised here, I continue to explain WHY you want to say no to almost all info request and to limit who gets what, but its an uphill battle. the 'Ive done nothing wrong...' argument is still strong with many kinds of people and we need to change this FAST or we'll continue to supply data to bad guys, who will wield it over us. (btw, the bad guys include local governments; they also can't be trusted with all the info we give them).

many foreigners don't understand even even born/raised americans are still not getting it. we need to change this but I'm not sure how we can teach people responsible 'info mgmt' behavior. with one breach after another, even that is not enough to show people that they need to say no to data from corps.

Re:Sue them senseless

[froggyjojodaddy]

I *think* it's because some countries/jurisdictions require the hotel to capture certain details, including the passport number. So they're obligated to get it, but clearly they didn't think ahead and actually store that data appropriately

Actually, what's more likely is:

Boss We need to capture Passport info to be in compliance with blah, blah
DB admin/Developer No problem, we need a secure database back end with limited access, auditing capability, and secure.....
Boss No, what? No! We don't have money or time for that. Just make it happen
DB admin/Developer But this goes against every principle of data management and storage. What if I just...
Boss Listen, you're making this overly complicated OK? We're not going to get hacked, just put in an exclamation mark in the regular password I use, Ok?

A few months later, they get hacked. Developer bears the brunt of the fallout. Boss goes on a nice vacation courtesy of the huge bonus he received a few months prior for "implementing a method to remain compliant with blah, blah law"

Re:

[BitterOak]

I *think* it's because some countries/jurisdictions require the hotel to capture certain details, including the passport number.

Which countries/jurisdictions? I'd honestly like to know so I can avoid them.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[OffTheLip]

I have stayed at a number of hotels in Eastern Europe, central Asia and the middle east where your passport was required at check-in. I assume they scanned it into their system.

Re:

[b0s0z0ku]

The advantage of Eastern Europe and central Asia is that some money can sometimes change hands and pesky requirements for things like passports will go byebye.

Re:

[b0s0z0ku]

If you plan ahead a bit, you can use Craigslist or similar short-term rental sections. Much less intrusive than things like AirBnB since it's essentally an anonymous transaction.

Re:

[0111 1110]

I can't use AirBnB because it requires me to photograph my passport but it never accepts the result. It rejects the passport image every single time I try it. Maybe it requires a $700 phone camera. My phone only cost $160. I wonder how many potential customers they have lost because their phone is not a high end flagship with a Leica lens.

Re:

[holophrastic]

Because we don't teach people, in kindergarten, not to give out their personal information to anyone who asks for it.

Oh wait, we do. We say: "don't talk to strangers" and we say "don't put your name on your backpack" and we say "don't tell strangers where you live".

okay, let's rephrase:

Because we don't teach adults to remember what they learned in kindergarten.

Oh wait, we do. We say: "everything important, I learned in kindergarten".

okay, let's rephrase:

because people are idiots. I blame radio shack. the

Re:

[geggam]

Certain countries require you give your passport information to the hotel

Re:Sue them senseless

[religionofpeas]

The problem is not giving out your passport number. The problem is that some people/businesses consider a passport number to be an authentication device.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thegarbz]

just WHY does a hotel need to know your PASSPORT number?

Legal requirements for serving foreigners in most countries in the world combined with the concept of having a common database for guests rather than a unstructured garbled mess.

many foreigners don't understand even even born/raised americans are still not getting it.

Many foreigners live in countries where your entire life doesn't get royally screwed up just because someone knows your 9 digit number.

Re:

[AHuxley]

Different nations have police registration for tourists. This allows police to quickly track everyone in their nation as they are citizens/approved tourists/ people allowed to be in that nation.

Easier said than done

[DogDude]

In the US, a lawsuit is, minimum, $100K.

Re:

[DickBreath]

> They deserve it.

It's not ONLY that they deserve it. (which they do!)

It's that the only way to fix this is to make it way more expensive to get hacked than it would be to prevent getting hacked. Maybe with a side order of jail time for senior executives.

And you don't sue them senseless. You sue some sense into them.

For extra security, the security staff should wear the t-shirts inside out to protect the root password from public view. Thank you, the management.

Track Down and Kill...

[Anonymous Coward]

...All Hackers, Virus creators. etc.

Why is it no resources are ever expended on finding these people and instead spent on an ever expanding effort to block them?

"You steal shit, and we will come for you" should be the motto of law enforcement. Not, "Steal shit and I'll buy newer locks".

Re:

[DickBreath]

Try this: Offer a bounty / reward program for information leading to the arrest of the hackers. If you make it high enough, you will attract the time and attention of people with sufficient expertise to track them down.

Yes, it may sound like outsourcing police work. But if it works, and doesn't require lots of donuts, then I don't see a problem with it.

Re:

[godel_56]

...All Hackers, Virus creators. etc.

Why is it no resources are ever expended on finding these people and instead spent on an ever expanding effort to block them?

"You steal shit, and we will come for you" should be the motto of law enforcement. Not, "Steal shit and I'll buy newer locks".

The perpetrators of APTs (Advanced Persistent Threats) are the employees of major enemy governments such as Russia, China, and North Korea and they are resident in their home countries. So you go get 'em, boy.

WHY do you need my passport number??????

[Anonymous Coward]

When did hotels become customs and immigration officers? Why are you recording the information from my drivers license and passport? Why do you need my email address and mobile phone number?????? Why do you need the registration information of my rental car??????

Re:

[b0s0z0ku]

I can understand the driver's license or passport info -- if you cause damage to the hotel and your card doesn't cover it, they want to know who to bill.

Re:

[Local ID10T]

OK. I'll bite and try to give real answers.

When did hotels become customs and immigration officers?

They are not.

Why are you recording the information from my drivers license and passport?

Because the law requires it.

Why do you need my email address and mobile phone number??????

To contact you. Email is for non-urgent communications -e.g. reservation confirmations and copies of your bill (and likely for marketing spam). Mobile phone is for urgent communications -e.g. (water leak / fire / burglary) affecting your room and possessions while you were out.

Why do you need the registration information of my rental car??????

To identify which cars in the parking lot are from registered guests. Perhaps there was an accident involving a parked car -would you rather get a

nothing will happen

[Anonymous Coward]

no fines, no one jailed, nothing. business will continue as usual

It's as if PCI compliance does not exist. Well it doesn't, no one gets in trouble for shit.

Fuck PCI compliance with a big rubber dick.

Re:

[b0s0z0ku]

Using a passport for ID is common in Europe, less so in the US. Sounds like Marriot is due for a good fucking from EU countries, which actually have and enforce privacy laws.

Why?

[Anonymous Coward]

Why does a hotel chain store passport numbers of its guests? Even if they legitimately do need the information for some reason, shouldn't it be deleted after a short period of time?

Re:

[b0s0z0ku]

Because they can and don't have to delete it -- so their systems are set up not to. It should be really deleted after a few days, after it's proven that there's no damage to the hotel from guests.

Re:

[FormOfActionBanana]

It's not 5 million. 500 million.

Some data should be stored offline

[davidwr]

If the law requires you to collect data that you don't need for business purposes, don't store it on a connected computer.

Scan the passport with a non-networked scanner but store the image on the scanner itself or offline for as long as the law requires, then delete it.

Make sure that the scans are encrypted and that they can only be decrypted with a key held off-site by corporate security. That way a clerk can't bulk-copy the scans that are stored on-site.

There is still one hole that can't be fixed: Any clerk that handles a particular passport can make a surreptitious copy for his own use using his own camera. If he has a photographic memory, he can just memorize it. The damage from this method is a lot less than a bulk-data-compromise.

Re:Some data should be stored offline

[TechyImmigrant]

My wife's business collects sensitive information - E.G. credit card info for billing customers, but there's quite a bit else. After going through the options, we decided that this stuff would get written in a book. If hackers got in, they wouldn't find much of value to them.

The cost is you have to punch in the numbers into the card machine when fulfilling order. The saving is a reduction in PCI-DSS scam audits to pay for and peace of mind.

Re:

[thegarbz]

Holy crap can you come up with any more complicated and expensive to run and maintain system? I'm sure Marriott would rather go bankrupt due to fines and being sued rather than high overhead costs of ill conceived security measures.

Re:

[b0s0z0ku]

DL actually gives the snooping assholes more information than a passport -- passport doesn't have an address on it, so you can lie about your home address if you want to give as little info as possible.

This could be useful

[gnasher719]

The U.K. government has plans that you need to supply a passport number soon to watch porn. What an opportunity: 5 million passport numbers that you can sell one each to five million privacy-conscious Brits who donâ(TM)t want their porn habits leaked.

Marriott tried to block cell communications right?

[140Mandak262Jamuna]

Didn't they use jammers to prevent people in their conference halls from getting wireless data and thus they could be charged for WiFi?

Suing Marriott will hurt the present stock owners. Need to put a few executives who approved and supervised the data centers, even if they have resigned from the company, in jail. Only then they will take security seriously. As it stands now, they cash in and leave before the shit hits the fan making bag holders out of shareholders.

Re:Marriott tried to block cell communications rig

[b0s0z0ku]

Marriot also owns Doubletree -- recently a Black man was ejected from a Doubletree in Portland for not interrupting a phone call with his family to "prove" that he was a guest there. Never mind that he showed his room key to the hotel's rent-a-cop, apparently that wasn't enough.

Stop storing my damn information.

[Anonymous Coward]

Stop storing my damn information.

Marriott also has physical security issues

[schwit1]

https://www.youtube.com/watch?... [youtube.com]

For your own protection in mat be better to stay someplace else.