The recently disclosed Marriott data breach was one of the largest in history. Marriott now reports that about 383 million guests of its various hotel chains had their data exposed over the course of multiple years.
The attack, interestingly, did not affect guests of Marriott-branded hotels but rather the guests of Starwood hotels, which were acquired by Marriott in 2016. If you have stayed at any of the following hotel chains, your encrypted data may have been leaked: Starwood-branded timeshare properties, W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien, and Four Points.
“Encrypted” is an important part of this. Of all of the affected guests, about 5.25 million had passport numbers attached to their accounts, but those passport numbers were encrypted. That means that the hackers need to figure out the master encryption key in order to actually access the data that they collected. It is not currently clear whether or not that has happened.
Your passport number is one way of tracking your movements and behavior, sort of like a credit card or a driver’s license. A passport number alone can’t provide a complete picture, but it can provide hackers with key information about where you have traveled, how often, and for how long, among other personal details.
The sort-of-good news for most travelers is that this information isn’t particularly valuable unless you are a person in power. What the hackers are most likely looking for is personal information about CEOs, celebrities, and government officials that could be potentially embarrassing or incriminating. The FBI currently suspects that the hackers were working on behalf of the Chinese Ministry of State Security, which is roughly the equivalent of our CIA. In other words, the suspected motivations are political espionage.
All of that said, this is a good reminder that we all need to be exceptionally cautious with our personal information. Your passport security should be treated with the same level of care that you treat your birth certificate or social security card. You should not make your passport number accessible to anyone who doesn’t absolutely need it. You should also avoid sharing your passport number and driver’s licence number in texts or emails if at all possible.
Often when staying at an international hotel, you will be required to share your passport number. The hotel might even ask to make a copy of your passport for their records. This is a standard practice, and we’re not saying that you shouldn’t comply. Rather, be wary of where you choose to stay and just how many people you expose your information to, especially if you’re someone who could potentially be the target of a data breach.
If you suspect or know that your passport number has been stolen, your passport is still valid and is not considered stolen. Without your physical passport, no one else can travel in your name. That said, you should consider calling the State Department to determine what your next steps should be, if any.
You can also always call us with questions or to get expedited passports and visas. We’re always here to help!