Marriott bought a hotel... and a massive data breach

CYBERSLEUTH

When Marriott International purchased Starwood in 2016, it became the world's largest hotel chain. Unbeknownst to Marriott, it was also buying one of the world's largest global data breaches. In late November, Marriott announced it had uncovered a massive and ongoing data hack that had been lurking in the Starwood guest reservation system since 2014.

While data breaches exposing millions of consumers' personal information has become numbingly routine, the Marriott breach is exceptional for its size and global reach. This breach dwarfs the Equifax breach announced earlier this year, which exposed personal data including social security numbers for 145 million people in the United States. The Marriott hack exposed personal data for a half billion customers in almost every corner of the globe. Chances are many readers have already received the email informing them that their data was breached because Marriott has more than 6,700 properties across 130 countries and territories, with more than 1 million hotel rooms. One in every 17 hotel rooms in the world is part of the Marriott brand, according to STR Global, an international data analytics firm.

The Marriott breach included data included "routine" personal data such as name, address, phone, email addresses along with more sensitive data such as credit card information. But in addition, as many as 327 million travelers had their passport numbers stolen. This last category sets the Marriott breach apart. It's relatively easy to get a new credit card number issued, and financial liability for credit card fraud is limited to $50 in in the U.S. thanks to the Fair Credit Billing Act. 15 U.S.C. Section 1666. Passport numbers are a different matter.

Passports issued in the United States are good for 10 years, so the window for misuse of stolen passport numbers is much longer and broader. Having access to a passport number opens the potential for hackers to commit crimes in the person's name in other countries, where detection will be harder. Criminals could also use the passport number to create a fake passport, enabling them to impersonate a U.S. citizen, or sell it to others. A passport can be used as a second form of identification for opening credit card or other financial accounts.

Hacked passport numbers also give cyber criminals the ability to track a traveler's global movements for the life of the passport using an online tool on the U.S. Department of Homeland Security's website. The tool, which is publicly available, allows anyone to view a person's travel history by entering only the traveler's name, birthday, country of issuance and passport number, all of which were part of Marriott's data breach. While this is disturbing enough from a privacy perspective, it could be even more problematic for attorneys whose travel patterns could give insight into sensitive client matters. For example, visits to multiple cities in a short time frame might reveal a corporate acquisition or merger before during the due diligence phase.

Marriott has not commented on why Starwood collected passport numbers through the reservation system. There are some European countries that require hotels to verify the identity of tourists, but that could obviously be done at the time of check-in rather than during the reservation. Given that Starwood maintained travelers' sensitive data for years, it seems likely that it required passport numbers for marketing purposes rather than fulfilling a legal requirement.

Now that the passport data has been revealed, there is little a traveler can do other than apply for a new passport number, which costs $110. Once the new passport is issued, the old number is no longer valid, so any visas associated with the old number will have to be replaced as well, adding to the cost. Marriott announced that it may reimburse travelers for the replacement cost of passports but only if there is clear evidence that the passport number is being used for fraudulent purposes.

So far, it doesn't appear that the massive data cache has appeared on the dark web according to news reports. That shouldn't be reassuring, however, because cybersecurity experts speculate that the absence of data on the dark web suggests that a state actor is behind the Marriott hack and they say the techniques and tools used point to China.

The bigger question is why Starwood and then Marriott was keeping highly personal data of travelers for four years and why the breach wasn't caught sooner. Also, why did it take Marriott two months to notify customers that the breach had occurred? Marriott has admitted publicly that it first detected the breach in early September but it wasn't publicly disclosed until late November.

As many as 40 class action lawsuits have been filed, but they largely rely on traditional causes of action such as negligence rather than privacy or data breach laws. One of the first, filed by OlsenDaines in Oregon state court in Multnomah County, colorfully argues that Marriott's data breach was a bigger concern for hotel guests than traditional worries such as bed bugs. David Johnson, Chris Harris, et al v. Marriott Int'l, Inc., Case No. 18-CV-54883. (Nov. 30, 2018). The cause of action alleges that Marriott's negligence created multiple harms including unauthorized credit card charges, identity theft, increased spam, independent third-party credit repair and monitoring costs.

Another class action was recently filed in the U.S. District Court for the District of Maryland on behalf of banks, credit unions and other financial institutions that may incur losses due to credit card fraud. Bank of La. v. Marriott, Int'l, Inc., Case No. 18-CV-3833 (Dec. 12, 2018). The suit seeks damages for costs arising from canceling or reissuing any credit cards; closing checking or savings accounts, stopping payments or blocking transactions, refunding or crediting the cost of any unauthorized transaction, responding to a higher volume of cardholder complaints, and increasing fraud monitoring efforts.