In case you missed it a few days ago it was revealed that the Starwood Preferred Guest (now owned by Marriott) reservation system was breached and data of 500 million customers was stolen. One of the pieces of information that was stolen includes passport numbers. Senator Charles Schumer came out and advocated that Marriott should pay for the costs of replacing passports for those that are impacted. Since then Marriott has announced that they will pay for the cost of replacing a passport, but only if it can be proven that fraud has taken place.
Because of this breach the State department has had to issue advice to consumers recommending that they don’t request a replacement if they were involved in this hack. Despite that assurance, one of the questions asked when reporting a lost/stolen passport is the previous passport number, NY Times has dedicated a piece to whether you should ask for a replacement. I’m of the belief that companies that suffer data breaches should be responsible for any reasonable costs involved in both protecting and restoring your identity if stolen. In this case Marriott is only happy to pay for passport replacements after fraud has occurred and even then you need to go through their process and they still will only pay out if that process determines fraud has occurred.
At the moment the costs of data breaches are being absorbed by companies other than those suffering the breach. For example, on the other side of every fraudulent transaction somebody is left paying that bill (e.g if credit card fraud occurs then either the payment network, card issuer or retailer accepting the payment are liable). Having your identity stolen can be life ruining and at this stage it’s clear that large scale corporations such as Marriott & Equifax are not taking information security seriously and refuse to invest resources in keeping personal data safe.
Kudo to the last paragraph which pointed out the exact problem we have. Data breach is a great example of “externality”. Companies have little to no economic incentive to correct them. Just think of industrial pollution and how long it took before companies started investing in protecting environments. Only when there is law AND enforcement will companies properly recognize the true cost of these breaches and take them seriously.
I always find it funny when people talk about how great the free market is and then they just forget about externalities like this
Why do they need customers passport numbers? Is it when you book a package?
It’s a legal requirement for hotels in some countries, data has to be given to the government.
Imagine if Schumer (who I generally agree with) had his way, and then 100 million had their numbers stolen and requested new passports. They can’t afford to just drop $10 billion. That’s over 4 years of income and roughly a quarter of what the company is valued at. When someone robs a bank, you don’t penalize the bank, you go after the thieves. Marriott is also the victim of criminal hackers, and even worse Marriott’s system wasn’t the one hacked. It was SPGs crummy security. Yes I know when you buy a company you inherit their liabilities as well. However, I wouldn’t be shocked if someone at SPG knew this pre-merger and withheld that info. Either way, breaking Marriott for a crime they didn’t commit is messed up.
Interestingly Marriott is the biggest victim here. SPG got breached, not Marriott. They effectively bought a massive liability. The calls should be for prosecuting the SPG management not Marriott.
Or you know make info sec part of your due diligence process.
Exactly, Frank. William, I’m sure they did and that information wasn’t known yet or hidden from them.
Sorry but at this stage there is no evidence that Marriott did do their due diligence properly when it came to info sec and SPG.
I’m not trying to be a jerk here, but there is also no direct evidence that they didn’t. What’s more likely?
Not sure what recourse Marriott has at this point. When the Yahoo breach was publicized Verizon was able to knock a few hundred million dollars off the price tag (for acquiring Yahoo).
Considering that they purchased an asset that had a major security vulnerability I’m going to go out on a limb and suggest that even if they did do due diligence regarding info sec it was inadequate.
The most dangerous place in the world is between Chucky Schumer and a microphone.
He didn’t seem to have much to say when the Chinese hacked OPM and got all the info of those with .gov clearance levels.
That said, why would anyone put their passport number into a hotel reservation? I just check my Marriott profile and there isn’t even a place to put my passport number.
Some countries require passport details on check in, SPG was required to collect that information.
Interesting. Any idea which countries require this? I’ve been to a couple of dozen and don’t remember showing my passport to any of them.
Can’t remember specifics sorry, I’m sure there is a list somewhere
That’s very common in various places in the world. Some (ex: Uzbekistan) go even beyond just having accommodation providers collect the data and technically require you to show registrations from every night you stayed in the country.
I believe Kenyan hotels do
“You Will Be OK” ™, – Arne Lying Sorenson
This is CLASSIC Schumer playbook here
Once fraud has occurred, new passport expense is possibly the lowest of your expenses. It just goes to show how Marriott must have thought of the security when they acquired SPG – let a breach occur and then we’ll fix the security hole. Unless the penalties are severe enough to dent the stock price, companies will continue to act this way.
Not until the party of business lets business know this has gone too far and the people that vote like lemmings for the party of the business and rich people actually use their heads while voting will anything be actually done.
did you mean restoring (in bold)? (not resorting)
Sure did, thanks!