It has become a familiar dance: A company reports a data breach, and you dutifully change your passwords, ask for a new credit card and hope your information doesn’t end up for sale on the dark web. But the hack that last week engulfed Marriott — and 500 million of its customers — has added a new step: Your passport might be at risk, too.
Whether those customers should go get a new passport is perhaps the most complicated consumer question hanging out there in the wake of the news that millions of Starwood Hotels customers had their data stolen in a breach that began as early as 2014. Brands like Westin, Sheraton, Aloft and W are affected, but not Marriott brands that predate the company’s acquisition of Starwood in 2016.
Besides passport information, the thieves took names, addresses, dates of birth, and credit or debit card numbers, though it’s possible that they did not get access to every bit of information for each person in the company database.
Given how often bank card fraud occurs, Starwood customers may have obtained a new number in the past few years, anyway.
But a subset of Starwood customers — those who traveled abroad and had to turn over their passport numbers at the check-in desk — face a question that few breach victims have faced before: What is the likelihood that someone might use that number to acquire a new passport and use it for no good?
The State Department says there isn’t much of a chance. The World Privacy Forum and the Identity Theft Resource Center say there is — with a mild qualification. If you’re among the Starwood customers who had to hand over passport information, your decision will hang on your taste for the very long odds of very bad people doing horrible things with a passport they acquired in your name.
The thieves — the hackers have not been identified, but the stolen information has not turned up on the dark web, which experts said suggested the work of a state actor — were able to access passport numbers because local or national rules sometimes require hotels to collect them. Depending on where you go in the world, officials in the place you are visiting may require your hotel to examine your passport and perhaps transmit passport information to local authorities.
It is unclear how long Marriott had held on to the information and if it held it longer than it had to. A spokeswoman said the company was not certain about these details yet.
A Hilton spokesman said that when its hotels are required to gather passport information, they often upload it via third-party software to the relevant authorities. The length of time such information is retained depends on the location of the hotel. A Hyatt spokeswoman said that it collects the minimum amount of personal information necessary to provide services that guests say they want or to comply with local rules.
It is also not clear how many former Starwood customers have a decision to make about their passports. A Marriott spokeswoman would only say that it believed that the number would be a “very small subset” of the larger group but that it did not have a precise number just yet. But even a small subset of 500 million can be a very big number: If two-tenths of a percent of customers are affected, that would be one million people.
The State Department does not believe those people need new passports. The logic goes like this: Nobody can access your travel records using a passport number, nor can anyone travel in your name simply by presenting those digits. If the thieves try to obtain a replacement in your name, they’ll run into difficulty: Unable to present a lost or expired passport, they would need a sheaf of other documents to prove that they are you.
But that’s where the danger lies, said Pam Dixon, executive director of the World Privacy Forum. Sophisticated thieves can clear those hurdles, she said.
“The Marriott breach is risky precisely because they had the passport number plus all of the demographic information,” she said of the thieves. She worried in particular about an emerging form of fraud called “morphing” — in which determined thieves create fake supporting documents and then try to obtain a passport in your name. Part of the process involves creating an image by merging a photo of you that they find online with a photo of a thief — similar to the “deepfake” videos that can already be found on the internet.
Ms. Dixon said she would replace her passport once she finished a pending trip abroad. Eva Velasquez, president of the Identity Theft Resource Center, said that she would do the same if she received notification from Marriott indicating that thieves retrieved useful information like her address and date of birth in addition to her passport number. (Marriott is just beginning the process of informing customers if their data is on the loose.)
To be clear: Thieves probably won’t be making a few million passports. For any one person to become a victim, the thieves would need to be in the business of faking identities in the first place. That may not be their endgame at all. Then, they’d have to pick on your data and be successful in getting a passport in your name. Then, they’d have to choose to use it.
The odds of all that happening are low. In the world of payment cards — where fraud is not nearly as complicated — it’s still a small portion of customers that have to deal with it. A Visa spokeswoman said that as its algorithms improved and companies became more sophisticated, it has seen fraud rates on at-risk card accounts falling below 5 percent.
That won’t keep some people from wanting to do anything they can to avoid even rock-bottom odds of, say, landing in jail when they try to enter another country someday. So they’ll get a new passport, which comes with a new passport number.
For now, Marriott doesn’t want to pay for that peace of mind. Instead, it’s setting up a process to work with guests who may one day experience passport fraud that they believe was a result of this breach. Then and only then will it reimburse people for the costs involved with getting a new passport. On Sunday, Senator Chuck Schumer, Democrat of New York, called on the company to reimburse people who choose to obtain new passports.
Marriott is offering customers free enrollment in a service called Web Watcher from the security company Kroll, which scans the dark web for information that thieves may be trying to sell. You can give the service your passport number and ask it to watch out for those figures out there in the blackness — but the membership expires after a year.
But breach anxiety can be forever, or at least 10 years: the standard renewal period for adults’ passports.
So why can’t a company, just once, say something like the following? “We’re sorry. And we’re going to protect you for as long as you feel like you need protecting.”
Stacy Cowley contributed reporting.