Marriott International may have bumped down the number of records affected by a breach of its Starwood division to 383 million, but the hotel chain admitted that five million passport numbers stolen in the incident by an unknown hacker were unencrypted.

"A key question we need to ask is why do hotels need to store passport numbers? One of the biggest impacts of GDPR was that it forced companies to consider [whether] the personal data they hold and ask customers for... was really needed and if so how to properly protect it,” said Matt Aldridge, senior solutions architect at Webroot, who called Marriott’s predicament "a great example of too much data being collected and retained.”

Local governments in some countries require visitor data to be recorded for domestic security purposes. "If this is the case, the relevant personal data should be transferred directly into the relevant intelligence, customs or border control system and should not be retained by the hotel," Aldridge explained. "This is just one example among far too many where data is being requested and stored without proper justification and certainly without appropriate measures in place to protect that data."

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.