Marriott will pay for new passports after data breach ‘if fraud has taken place’

The logo for the W Hotel in New York's Times Square -- one of the properties affected by the data breach.
(Mark Lennihan / Associated Press)
Washington Post

After a colossal data breach that hit Marriott International and compromised sensitive personal information — including some passport numbers — of hundreds of millions of guests, the hotel company has agreed to pay for passport replacements if it finds that customers have been victims of fraud.

The breach, which took place over four years and affected 500 million guests, was notable not only for its scope but also for the bevy of personal information hackers accessed through the reservation system of Marriott’s subsidiary, Starwood: genders, birth dates, email and mailing addresses and phone numbers, as well as some payment card information. The hackers also accessed passport numbers for a “smaller subset of customers,” Marriott said.

The U.S. State Department has said that its records and systems were not connected to Marriott’s and that a fake passport could not be created with a passport number alone.


But many experts and government officials have expressed concern that the passport numbers, in concert with the other personal data compromised by the hack, could pose serious risks of identity theft — and be a threat to national security.

On Sunday, Senate Minority Leader Chuck Schumer (D-N.Y.) suggested that Marriott cover the $110 charge for customers requesting new passports after the breach.

Marriott spokeswoman Connie Kim said in an email that although it believes the chance of hackers using passport numbers “is very low,” the hotel giant is willing to foot the bill in cases it deems necessary.

“We are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident,” Kim said. “If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport.”

Hackers accessed the reservation system of Starwood hotels — which includes the Sheraton, St. Regis and Westin brands, among others — sometime in 2014. The breach went undetected during Marriott’s acquisition of Starwood in 2016 and wasn’t discovered until early September of this year. After Marriott announced the hacking attack Friday, the hotel giant was deluged with criticism about its security practices and with questions about what it was doing to protect its customers.

New York Atty. Gen. Barbara Underwood, Maryland Atty. Gen. Brian Frosh and Pennsylvania Atty. Gen. Josh Shapiro all said their offices had opened investigations into the Marriott breach. And for many other government officials, the breach has become a rallying cry for arguing for stricter consumer privacy regulation.


“Checking in to a hotel should not mean checking out of privacy and security protections,” Sen. Ed Markey (D-Mass.), a member of the Commerce, Science and Transportation Committee, said Friday. “Preventing massive data breaches isn’t just about protecting privacy, it’s also about protecting our pocketbooks. Breaches like this can lead to identity theft and crippling financial fraud. They are a black cloud hanging over the United States’ bright economic horizon.”

Marriott has set up a website and call center to answer questions at, and it said it is emailing affected guests on a rolling basis. The company is based in Bethesda, Md., and has more than 6,700 properties around the world.

Telford writes for the Washington Post.