Marriott International may have bumped down the number of records affected by a breach of its Starwood division to 383 million, but the hotel chain admitted that five million passport numbers stolen in the incident by an unknown hacker were unencrypted.
"A key question we need to ask is why do hotels need to store passport numbers? One of the biggest impacts of GDPR was that it forced companies to consider [whether] the personal data they hold and ask customers for... was really needed and if so how to properly protect it,” said Matt Aldridge, senior solutions architect at Webroot, who called Marriott’s predicament "a great example of too much data being collected and retained.”
Local governments in some countries require visitor data to be recorded for domestic security purposes. "If this is the case, the relevant personal data should be transferred directly into the relevant intelligence, customs or border control system and should not be retained by the hotel," Aldridge explained. "This is just one example among far too many where data is being requested and stored without proper justification and certainly without appropriate measures in place to protect that data."
"Every piece of customer information that a company holds represents a potential point of attack, and every time a partner or agent accesses that data, that becomes a potential attack point as well," said Uniken CEO Bimal Gandhi. "Hotels, hospitality companies, banks and e-commerce entities are all moving to newer ways to enable customers to authenticate themselves across channels, without requiring any PII."
In December, Marriott agreed to pay for new passports if it was determined that "fraud has taken place," but also said the chance of hackers using passport numbers was "very low."
Marriott's reduction in the number of impacted records from 500 million to 383 million came after the company culled out duplicates.
The resort and hotel operator discovered in September that malicious actors had spent more than four years inside its Starwood reservation system, obtaining access to guest records that included names, payment card information and other PII.
The cybercriminals gained access to, copied and encrypted a wide variety of data from guests using its reservation system, the company said, and the breach was discovered only when the cybercriminals attempted to remove data from the U.S. system. This event led to a further investigation, which uncovered that the long-running operation had been in place since 2014.
Marriott acquired Starwood Hotels in 2016, indicating the malware was already in place and not yet discovered prior to the deal closing.