With Marriott recently suffering the largest data breach in history, according to the New York Times, it seems the trend of cybersecurity scandals continues to plague large corporations and their hapless PR departments. Though the original number of violated records has fallen from 500 million to 338 million due to the discovery of duplicate numbers, in terms of size this scandal surpasses Equifax’s highly publicized 2017 breach, in which the consumer credit-reporting agency lost the driver’s license and Social Security numbers of roughly 145.5 million Americans.
The most recent development in this story, however, is Marriott’s concession that they indeed had failed to encrypt and thus protect 5.25 million of the passport numbers kept in their Starwood data system, meaning that anyone with access to the hotel’s reservation system could simply read off any unencrypted passport number.
An additional 20.3 million passport numbers were kept in encrypted files, meaning they were safe from anyone who did not possess the master encryption key. It is not clear, however, why some passport numbers were protected by encryption and others left vulnerable.
“There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” Marriott said in a statement.
In 2017, the Times reported that the attack could be traced to Chinese intelligence agencies, who hacked American health insurers and the Office of Personnel Management back in 2014 as part of a large-scale Chinese intelligence-gathering effort. The United States has not formally accused China of any such crimes.
The Chinese government has denied this allegation. “China firmly opposes all forms of cyberattack and cracks down on it in accordance with the law,” explained Geng Shuang, a spokesman for its Ministry of Foreign Affairs “If offered evidence, the relevant Chinese departments will carry out investigations according to the law.”
Whether China is to blame or not, the scandal has certainly highlighted holes in hotel companies’ check-in processes and how they handle sensitive data. Connie Kim, a company spokeswoman, assured that the company is prioritizing effective recourse methods: “We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations.”
Passport numbers alone cannot be used to create fake passports, so this isn’t necessarily a dire situation for those whose information could have been stolen. Marriott, however, has offered to pay for a new passport for anyone whose information was stolen and used in a fraud.